you're not safe with php_opendir anyway!
Oh. That's an old thread
Hope, someone is still care about security...
DirectAdmin Support, unfortunately, open_basedir it's not a jail - that's not enough to cover php security problems.
So. What I know about php-security.
If you are using mod_php an want to prevent users from accessing each other php-scripts and files you have 3 ways:
1. Use mod_become apache module or similar apache patch (with apache childs running under root). Somebody believes it's harmless, someone believes it's dangerous. It's simple and effective, but I'm still affraid to use that solution.
2. Use open_basedir AND disable ALL exec-related php-functions.
If you not disable this functions user is able to exec their own binary or cgi and that process will able to access any files readable by 'apache' user (php-files of any user for exemple).
3. Use safe_mode and define safe_exec_dir.
I think this way is most secure an flexible. User can't access files owned by other users via PHP. And you can put some binaries in safe_exec_dir if you are sure it's safe (such programs must not operate on any files that user may specify).
Besides that, in cases 2. and 3. you also need to disable FollowSymLinks Option in apache (substitute it with SymLinksIfOwnerMatch). If you don't do that, any user will able to read files readable by 'apache' again (not always, but in many situations). Maybe it's also applied to way 1. too (if mod_become doesn't make possible to use 600 permissions on php-files) - I'm not sure.
And additionally, don't forget - compile php with bundled mysql library or disable "LOAD DATA LOCAL" in mysql.
But after all of that you still need to think twice when you are going to add any additional module to php: if functions of that module is dealing with files _directly_ - it can break your security, because safe_mode or open_basedir restrictions will not work for that functions.
BTW, a few days ago i have implemented small patch to safe mode checks in PHP - and now with safe_mode_gid option it causes much less pain to users and still remains very safe =)
That's all. (Hope, I'm not missed anything...
Any additions, suggestions, solutions and advices are welcome