More than a month has passed since I published my PHP extension fixing the performance issues with NFS and PHP. Since then, turbo_realpath has become quite popular among Web administrators. Unfortunately, despite my warnings, many of them don’t disable the PHP functions responsible for creating links and symlinks, or do it wrong way.
For this reason I decided to publish a new version of the turbo_realpath extension, which adds the ability to automatically disable dangerous functions in PHP.
How to install turbo_realpath?
You can download this extension from this link.
In order to use this extension, you have to compile it first:
unzip realpath_turbo_1.1.zip cd realpath_turbo phpize ./configure make cp modules/turbo_realpath.so /usr/lib/php/modules
Please, remember to change /usr/lib/php/modules to the path used by your PHP installation.
Next, you have to configure this PHP extension in php.ini file, like so:
; you have to load the extension first extension=turbo_realpath.so ; set this to 1 in order to disable dangerous PHP functions (link,symlink), or set to 0 in order to ignore potential security issues realpath_cache_security = 1 ; then copy the value of open_basedir into realpath_cache_basedir parameter realpath_cache_basedir = /var/www/html/drupal ; and finally DISABLE the open_basedir setting, ; it will be changed automatically to the value of a realpath_cache_basedir setting. ; open_basedir=""
As you can see, in order to use this extension, you have to move the value of open_basedir setting into realpath_cache_basedir and then disable open_basedir itself. After this, PHP will reenable open_basedir restrictions automatically.