Articles

How to Restrict the Directories PHP Can Access Using open_basedir

By default, PHP does not restrict which files and directories your PHP scripts can access. To restrict the directories that can be accessed, you can use PHP's open_basedir setting.

In the instructions below, replace APPNAME with the name of your app and replace phpX.Y with the PHP version your app is using.

To set open_basedir for one of your apps, log in to your server as the root user and create the file:

/etc/phpX.Y-sp/fpm-pools.d/APPNAME.d/open_basedir.conf

with the contents:

php_admin_value[open_basedir] = /srv/users/serverpilot/apps/APPNAME/

Then, restart PHP with the following command:

sudo service phpX.Y-fpm-sp restart

Important: PHP's open_based provides limited security. Unless you also disable all shell command execution capabilities of PHP, a script could still access files outside of the open_basedir using shell commands. For more information, see the PHP documentation for open_based.