Home / server / Questions / 950703
In Process
kittygirl
Asked: 2019-01-25 23:46:45 +0800 CST

Should I add `/dev/urandom` into PHP `open_basedir`?

  • 772

My system is centos 7.4,with Apache 2.4.6 and PHP 5.4.
I have following setting in /etc/php.ini

open_basedir =.:/tmp/:/var/lib/php/session/
session.save_path = "/var/lib/php/session"
session.entropy_length = 0
;session.entropy_file = /dev/urandom

I read PHP manual ,

Note: Removed in PHP 7.1.0. As of PHP 5.4.0 session.entropy_file defaults to /dev/urandom or /dev/arandom if it is available. In PHP 5.3.0 this directive is left empty by default.

I am asking should I add /dev/urandom into open_basedir, such as:
open_basedir =.:/tmp/:/var/lib/php/session/:/dev/urandom/?

php

1 Answers

  1. I think you don't need to, unless your own PHP code needs to read from /dev/urandom with either the include() or fopen() or similar functions.

    AFAIK the open_basedir restriction is only built into functions that will take any user (developer) supplied file names as input. The session generator (and for instance other crypto functions that need random data) does not read from just any filename, session.entropy_file needs to be set by an administrator and it is very unlikely that open_basedir restrictions have been applied to the specific code that will read random data from that session.entropy_file

    • 1