Allow configuration from .user.ini

[ferfebles]

realpath_turbo can only be configured from php.ini.

We have a number of webservers that all serve several PHP applications. We would like to restrict each app to their own open_basedir, but with a general configuration in php.ini we have to broaden open_basedir to include the folders of all the applications.

We had open_basedir configures in the .user.ini application folder. But that's not possible with realpath_turbo.

Could the mode for realpath_turbo changed from PHP_INI_SYSTEM to PHP_INI_PERDIR allowing the use from .user.ini?

[Whissi]

I don't think that this would be a good idea. With PHP_INI_PERDIR, the user owning the directory could change this setting which would have security implications. Imagine a web application will get compromised. In that case the attacker could create .user.ini file and change disable_dangerous_functions or even set different open_basedir.

For PHP-FPM world I recommend to put this into the pool configuration via php_admin_value syntax. Not tested but using per-dir settings via php.ini like

[PATH="/var/www/example.org"]
realpath_turbo.open_basedir="/var/www/example.org:/usr/share/php"

which would set realpath_turbo's setting open_basedir to "/var/www/example.org:/usr/share/php", should work, too.