fickle gods

Thriving on inconsistencies

Sandbox a directory using php.ini

There can be any number of reasons you would want to “Sandbox” a directory on your web server. If you’re hosting multiple websites you would want to make sure that any problems with one wouldn’t affect any of the others, or if you have an interactive part of your website where users are allowed to upload things, you want to keep it secure. Just a quick definition of ‘sandbox’ as I understand it: A way to isolate, make sure that a problem in the sandbox has no way of spreading to the outside. Basically it’s a quarantine or isolation.

First off, I just want to say that I’m just learning as I go along and I would really appreciate any feedback in the comments below or through any other means. Unfortunately for me I can’t really know the effectiveness of my security measures until I actually get attacked (which I try to avoid!), so we will all benefit from each others experience here.

I recommend the following changes. They require you to put a copy or new version of the php.ini file in the directory that you want to sandbox. For this example, we’ll call it /username/www/sandboxdir/

Setting the open_basedir

In the php.ini file, find the line with open_basedir, it’s usually commented out, so remove the semicolon from the front of it and set the directory to our sandbox directory. Basically what this does is limit anything that php can do to the specified directory tree. It won’t be able to read or write anything from a higher level (or sideways) in the directory.

Setting the upload_tmp_dir

This is not required, only if some part of your script allows for file uploads. I’ve experienced that after setting the open_basedir that the temporary directory is outside the scope. Find the line in the php.ini upload_tmp_dir which will probably also be commented out (just remove the semicolon) and put in /username/www/sandboxdir/tmp/

You notice that we’re referring to a folder called tmp which probably doesn’t exist yet, so go ahead and make that folder. Naturally you can name this folder anything you want or have it nested within another folder. Just make sure you are consistent with your php.ini file.

Remove write permissions from php.ini file

Lastly, you need to change the permissions of the php.ini file. This is actually very crucial but ofter overlooked. By default, files have permission 644, just change it to 444. This only allows reading.


And that’s it. You’ll need to go through this process for every directory that you want to sandbox, but in the end you’ll sleep better at night. Once again, I would really appreciate feedback from anyone with some experience or better tips for making your web server a safer place. Thanks!