Here's a short explanation of the configuration
directives.
safe_mode boolean
Whether to enable PHP's safe mode. Read the Security chapter
for more information.
safe_mode_gid boolean
By default, Safe Mode does a UID compare check when opening
files. If you want to relax this to a GID compare, then
turn on safe_mode_gid. Whether to use UID (FALSE) or GID
(TRUE) checking upon file access.
safe_mode_include_dir string
UID/GID checks are bypassed when including files from this
directory and its subdirectories (directory must also be
in include_path or full path must including).
As of PHP 4.2.0, this directive can take a colon (semi-colon
on Windows) separated path in a fashion similar to the include_path
directive, rather than just a single directory.
The restriction specified is actually a prefix, not a directory
name. This means that "safe_mode_include_dir = /dir/incl"
also allows access to "/dir/include" and "/dir/incls"
if they exist. When you want to restrict access to only
the specified directory, end with a slash. For example:
"safe_mode_include_dir = /dir/incl/"
safe_mode_exec_dir string
If PHP is used in safe mode, system() and the other functions
executing system programs refuse to start programs that
are not in this directory.
safe_mode_allowed_env_vars string
Setting certain environment variables may be a potential
security breach. This directive contains a comma-delimited
list of prefixes. In Safe Mode, the user may only alter
environment variables whose names begin with the prefixes
supplied here. By default, users will only be able to set
environment variables that begin with PHP_ (e.g. PHP_FOO=BAR).
Note: If this directive is empty, PHP will let the user
modify ANY environment variable!
safe_mode_protected_env_vars string
This directive contains a comma-delimited list of environment
variables that the end user won't be able to change using
putenv(). These variables will be protected even if safe_mode_allowed_env_vars
is set to allow to change them.
open_basedir string
Limit the files that can be opened by PHP to the specified
directory-tree, including the file itself. This directive
is NOT affected by whether Safe Mode is turned On or Off.
When a script tries to open a file with, for example, fopen()
or gzopen(), the location of the file is checked. When the
file is outside the specified directory-tree, PHP will refuse
to open it. All symbolic links are resolved, so it's not
possible to avoid this restriction with a symlink.
The special value . indicates that the directory in which
the script is stored will be used as base-directory.
Under Windows, separate the directories with a semicolon.
On all other systems, separate the directories with a colon.
As an Apache module, open_basedir paths from parent directories
are now automatically inherited.
The restriction specified with open_basedir is actually
a prefix, not a directory name. This means that "open_basedir
= /dir/incl" also allows access to "/dir/include"
and "/dir/incls" if they exist. When you want
to restrict access to only the specified directory, end
with a slash. For example: "open_basedir = /dir/incl/"
Note: Support for multiple directories was added in 3.0.7.
