Can't change open_basedir setting

B

bdaccount

New member
Joined
Sep 17, 2020
Messages
4
Hi,

I've been struggling to change the open_basedir setting on a CentOS 7 server running apache 2.4 and php-fpm 7.3.

I want to add a directory (/mnt/mediastorage/) to the open_basedir path but whenever or wherever I change the setting, it doesn't seem to work. I've used suggestions from this post amongst others https://help.directadmin.com/item.php?id=672

What I tried:

- Modify custom httpd configuration https://help.directadmin.com/item.php?id=182
- Another way of modifying through custom httpd config https://help.directadmin.com/item.php?id=636
- Use a .user.ini file https://help.directadmin.com/item.php?id=682
- Edit the main php.ini file AND add a custom .ini file as described here https://help.directadmin.com/item.php?id=622

phpinfo() gives:

Loaded Configuration File /usr/local/php73/lib/php.ini
Scan this dir for additional .ini files /usr/local/php73/lib/php.conf.d
Additional .ini files parsed /usr/local/php73/lib/php.conf.d/10-directadmin.ini, /usr/local/php73/lib/php.conf.d/30-openbasedir.ini, /usr/local/php73/lib/php.conf.d/50-webapps.ini

open_basedir/home/user/:/tmp/:/var/tmp/:/opt/alt/php73/usr/share/pear/:/dev/urandom:/usr/local/php73/lib/:/usr/local/php73/lib/:/usr/local/php56/lib/:/usr/local/lib/php//home/user/:/tmp/:/var/tmp/:/opt/alt/php73/usr/share/pear/:/dev/urandom:/usr/local/php73/lib/:/usr/local/php73/lib/:/usr/local/php56/lib/:/usr/local/lib/php/

It does show the additional 30-openbasedir.ini being parsed which contains this line:

open_basedir = "/home/user/:/mnt/mediastorage/:/tmp/:/var/tmp/:/opt/alt/php73/usr/share/pear/:/dev/urandom:/usr/local/php73/lib/:/usr/local/php73/lib/:/usr/local/php56/lib/:/usr/local/lib/php/"

Each time I made a change I restarted the php-fpm & httpd processes. Result is always the same, open_basedir isn't changed/overriden.

I guess I'm missing something, anybody have an idea?
 
For what it's worth.. it looks like the open_basedir setting from the 30-openbasedir.ini file is in effect for PHP-CLI, but not for PHP-FPM. And I actually need it changed for the latter.
 
I'd personally aim for the per-account php-fpm.conf settings, rather than a .ini override that all other User's would "load" even if it's out of their path/host.
Code: 
Admin Level » Custom Httpd Config » php-fpm
which should being you to a URL that might look like this, if it's for User "fred":
Code: 
/admin/custom-httpd/fred/php-fpm/7.4/global_custom1

In the |CUSTOM1| php-fpm token, you'd add:
Code: 
|?OPEN_BASEDIR_PATH=`OPEN_BASEDIR_PATH`:/mnt/mediastorage|
which should do the trick.

NOTE: I did find a segfault on CentOS 8 when testing this. It's now fixed:

Version 1.62.0 | Directadmin Docs

DirectAdmin Knowledge Base
directadmin.com
If you run into the same thing (segfault when saving the token), please grab the latest pre-release binaries.

John
 
Thanks for the suggestion John. I did manage to get it working in the end when I changed [DOMAIN=domain.com] to [PATH=/home/user] in the .ini file.

I do prefer the setting through directadmin console and just tried it that way, and guess what, it worked!

The difference is I clicked on:
Code: 
Admin Level > Custom Httpd Config > domain.com
instead of:
Code: 
Admin Level > Custom Httpd Config > php-fpm (behind the user name)

So the URL looked like:
Code: 
/CMD_CUSTOM_HTTPD?domain=domain.com
instead of:
Code: 
/CMD_CUSTOM_HTTPD?user=user&php-fpm=7.3

The open basedir setting did not work with the domain method, but does work with the php-fpm method.
 
If you're running Enhanced, then your URLs would be correct (I was referencing the Evolution skin).
With php-fpm enabled, apache does not run php, the php-fpm server does, hence the php-fpm method.
If php were to be run though mod_php, then apache does control it and the OBD changes would go into the custom domain config, inserted right into the User's httpd.conf.
 
Yeah running the enhanced skin. What you say makes sense of course but what I meant to say was it wasn't obvious (to me) that I could click on php-fpm behind the user name for the correct method. Now I know and maybe this thread will help someone else as well :)
 
You must log in or register to reply here.
Back
Top