@DenisChenu Any thoughts?

open_basedir also need upload_tmp_dir and session.save_path and /dev/urandom.

Other tips: https://howtogetonline.com/how-to-harden-your-php-for-better-security.php

Argument against configuration: https://paragonie.com/blog/2017/01/configuration-driven-php-security-advice-considered-harmful

I have a lot of system where open_basedir is badly set, for example : path:/usr/php;. but open_basedir to . only.

I'm totally unsure if we need to try to fix server security issue. Do you know a free tool who check that ?

Eles :
allow_url_fopen : we need ot for auto update , no?
max_execution_time : we already set to 1200 is really boggest then we really need : WE must fix this and ask it only for stats (it's done for stats …)
expose_php: lol : security by hidding, let me laugh …
max_input_vars : default 1000 is broken for LimeSurvey for more tha 300 answers or some arrau/text : we must try to fix it and remove undeeded POSTED var.
display_errors : debug :0 => OK
open_basedir : on my .me : /home/www/demo.sondages.me/htdocs:/home/www/share/:/tmp:/home/www/demo.sondages.me/tmp:/home/www/demo.sondages.me/config:/home/www/share:/usr/share/php:/usr/share/pear : you say it's OK or not (same user for all www) ?, on .pro : no value : apache_mpm_itk : each server with their own user : user don't have rights on /etc for example : you say it's OK ? You can't : no value is unsecure BUT : mpm_itk do the secure here.

Default settings on /etc/passwd is -rw-r--r--, which means readable by all users, including a web user like www-data.

Right, but we must disallow reading files in open_basedir too : application/config/config.php is a good example.
Think this can fix issue is a bad solution : the last security issue is an exemple : LimeSurvey dev must care of ALL files reading before adding it …

About open_base_dir : https://www.limesurvey.org/forum/can-i-do-this-with-limesurvey/117910-excel-error-in-statistical-output-format#181576
:)

set_include_path("."); work with limesurvey, but maybe not what user want :)

Else on some server : ini_set can be used

set_include_path('.');
ini_set('open_basedir',dirname(dirname(dirname(__FILE__))));

in config.php

Then maybe can update default config.php to

@set_include_path('.');
@ini_set('open_basedir',dirname(dirname(dirname(__FILE__))));

@ollehar : i attch some security issue to this one, because i think Limesurvey must be "Secure proof" before give advice …

True. I was discussing on the ##php IRC channel about it, too. There's really no good way to check if your server is secure on the PHP level. You can check if the web user has access to this or that file, and recommend that it shouldn't, but there's no way to check if you are running in a secure container, jail or virtual machine.

"container > chroot > open_basedir"

This script could maybe be used in the security tab? "Extra PHP security check". https://github.com/sektioneins/pcc

See https://github.com/sektioneins/pcc/blob/master/phpconfigcheck.php#L162
The issue is here too : create a script to check security can show open door.

And super admin user are not always the server manager …

Found an issue about set_include_path(".");

$ php application/commands/console.php 
PHP Error[2]: include(DbConnection.php): failed to open stream: No such file or directory
    in file /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php at line 463
#0 /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php(463): include()
#1 unknown(0): autoload()
#2 unknown(0): spl_autoload_call()
#3 /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php(310): class_exists()
#4 /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php(204): import()
#5 /mnt/data/shnoulle/nginx/www/master/framework/base/CModule.php(393): createComponent()
#6 /mnt/data/shnoulle/nginx/www/master/framework/base/CModule.php(103): ConsoleApplication->getComponent()
#7 /mnt/data/shnoulle/nginx/www/master/application/core/ConsoleApplication.php(63): ConsoleApplication->__get()
#8 /mnt/data/shnoulle/nginx/www/master/framework/YiiBase.php(132): ConsoleApplication->__construct()
#9 /mnt/data/shnoulle/nginx/www/master/application/commands/console.php(56): createApplication()

Fixed with

if(!defined('YII_PATH')) {
    set_include_path('.');
    ini_set('open_basedir',dirname(dirname(dirname(__FILE__))));
}

Update the fix

if(!defined('YII_PATH')) {
    $tmpdir = ini_get('upload_tmp_dir') ? ini_get('upload_tmp_dir') : sys_get_temp_dir();
    set_include_path('.');
    ini_set('open_basedir',$tmpdir.PATH_SEPARATOR.dirname(dirname(dirname(__FILE__))));
}

@ollehar : maybe we can update the default generated config.php file when install ?
And

1. Set the runtimepath
2. Set the session cookie name (random string start by LIMESURVEY_)
3. Set the open_base_dir

Maybe this 3 can have option when install. Then we secure new installation by default ?
Your opinion ?

PS : 1st step is to have a config-generation.php file : most easy to update, with some replacement to do ( [REPLACEMENT] ? )

About security, maybe adding (when install).

1. Create upload/survey/1/ directory
2. Created a upload/survey/1/test.php who do an echo 'executed'
3. Call in ajax the php file
4. If receive another think than a 4XX error : send an warning
5. If receive “executed” send a danger

And for fu_file
Do the same things with a 1x1px image.

Current test

$runtimePath = "myruntimePath";
if(!defined('YII_PATH')) {
    $tmpdir = ini_get('upload_tmp_dir') ? ini_get('upload_tmp_dir') : sys_get_temp_dir();
    set_include_path('.');
    ini_set('open_basedir',$tmpdir.PATH_SEPARATOR.$runtimePath.PATH_SEPARATOR.dirname(dirname(dirname(__FILE__))));
}
…
…
    // Directory must be readable and writable by the webuser
    'runtimePath'=>$runtimePath,

But need runtimePath available when install

PS : set an open_base_dir on IIS/PHP broke timing all action take 5 seconds more.
I don't know why …

Set to current or set to empty or anything else … i really don't understand