problem in set open_basedir in php.ini :(((

S

shahab

Verified User
Joined
Aug 4, 2014
Messages
72
Hello

I when enable open_basedir in php.ini ,the roundcube and phpmyadmin dont work and show white page

open_basedir = /home/:/tmp:/var/tmp:/usr/local/lib/php/

please help me
 
That's wrong to add the line:

Code: 
open_basedir = /home/:/tmp:/var/tmp:/usr/local/lib/php/

in a global php.ini. If you want to use open_basedir in the global php.ini you should add /var/www/html into the line:

Code: 
open_basedir = /home/:/tmp:/var/tmp:/var/www/html:/usr/local/lib/php/

Otherwise you should use individual per user php.ini, and set open_basedir there.

CustomBuild 2.0 by default uses /usr/local/php<PHP_VERSION>/lib/php.conf.d/ to scan for additional .ini files. To follow this guide http://help.directadmin.com/item.php?id=183 you should add:

Code: 
SetEnv PHP_INI_SCAN_DIR /usr/local/directadmin/data/users/|USER|/php/

directly into a VirtualHost as a custom code or into a template to make it global. In this case file /usr/local/php<PHP_VERSION>/lib/php.conf.d/10-directadmin.ini won't be loaded any longer. And you will loose modules: suhosin, ioncube, zend, etc; directives to load them are located in /usr/local/php<PHP_VERSION>/lib/php.conf.d/10-directadmin.ini. So you probably will need to move them into the global php.ini (that's a possible solution).

So what left (without much modifications of file organisation) is to either use open_basedir in global php.ini (/var/www/html should be added into open_basedir), or to switch to fastcgi/PHP-FPM.
 
You could use the following in global php.ini file or php.conf.d directory:
Code: 
[PATH=/home/USER]
open_basedir=/home/USER:/usr/local/phpVER/lib/:/tmp

Or use HOST instead of PATH, like:
Code: 
[HOST=domain.com]
open_basedir=/home/USER:/usr/local/phpVER/lib/:/tmp

Any of these should work. And I'd recommend removing the global open_basedir setting at all.
 
zEitEr said:
That's wrong to add the line:

Code: 
open_basedir = /home/:/tmp:/var/tmp:/usr/local/lib/php/

in a global php.ini. If you want to use open_basedir in the global php.ini you should add /var/www/html into the line:

Code: 
open_basedir = /home/:/tmp:/var/tmp:/var/www/html:/usr/local/lib/php/

Otherwise you should use individual per user php.ini, and set open_basedir there.

CustomBuild 2.0 by default uses /usr/local/php<PHP_VERSION>/lib/php.conf.d/ to scan for additional .ini files. To follow this guide http://help.directadmin.com/item.php?id=183 you should add:

Code: 
SetEnv PHP_INI_SCAN_DIR /usr/local/directadmin/data/users/|USER|/php/

directly into a VirtualHost as a custom code or into a template to make it global. In this case file /usr/local/php<PHP_VERSION>/lib/php.conf.d/10-directadmin.ini won't be loaded any longer. And you will loose modules: suhosin, ioncube, zend, etc; directives to load them are located in /usr/local/php<PHP_VERSION>/lib/php.conf.d/10-directadmin.ini. So you probably will need to move them into the global php.ini (that's a possible solution).

So what left (without much modifications of file organisation) is to either use open_basedir in global php.ini (/var/www/html should be added into open_basedir), or to switch to fastcgi/PHP-FPM.
Click to expand...


I used your commend but directadmin can not take the back up and show this error :

PHP Warning: parse_ini_file(): open_basedir restriction in effect. File(/usr/local/directadmin/conf/mysql.conf) is not within the allowed path(s): (/home/:/tmp:/var/tmp:/var/www/html:/usr/local/lib/php/) in /usr/local/directadmin/scripts/backup_roundcube.php on line 67
PHP Warning: parse_ini_file(/usr/local/directadmin/conf/mysql.conf): failed to open stream: Operation not permitted in /usr/local/directadmin/scripts/backup_roundcube.php on line 67
PHP Warning: mysqli::mysqli(): (28000/1045): Access denied for user 'root'@'localhost' (using password: NO) in /usr/local/directadmin/scripts/backup_roundcube.php on line 104
Failed to connect to MySQL: (1045) Access denied for user 'root'@'localhost' (using password: NO)
 
Which one? I suggested two ways to go. I guess you followed the first one and set open_basedir globaly that's why you faced an issue with backups. So you'd better go the second way.
 
zEitEr said:
Which one? I suggested two ways to go. I guess you followed the first one and set open_basedir globaly that's why you faced an issue with backups. So you'd better go the second way.
Click to expand...

Hello

First way..
Second way needs to edits all users's vhosts.
 
I'm having a similar problem with nginx + apache + php-fpm when I'm trying to access `/roundcube/` or `/phpmyadmin/` from within a users domain.

And I strongly suggest You to NOT add `/var/www/html` to `open_basedir` in custom templates, because all users will then be able to read/load for example roundcube's configuration file, which contains the user and password to the database, in which roundcube stores all data.

The best solution in this case is probably to completely disable `/etc/httpd/conf/extra/https-alias.conf`.

What do you think?
 
Are you sure? Probably I'm missing something, so please correct me.

Code: 
-r--r----- 1 webapps webapps 4496 Sep 18 03:15 /var/www/html/roundcube/config/config.inc.php

How can it be accessed by an user bob for example when all his PHP scripts are executing from his name?

Code: 
# sudo -u bob cat /var/www/html/roundcube/config/config.inc.phpcat: /var/www/html/roundcube/config/config.inc.php: Permission denied

and

Code: 
# sudo -u bob php
<?php
readfile("/var/www/html/roundcube/config/config.inc.php");

returns

Code: 
PHP Warning:  readfile(/var/www/html/roundcube/config/config.inc.php): failed to open stream: Permission denied in - on line 2
 
zEitEr said:
Are you sure? Probably I'm missing something, so please correct me.
Click to expand...

Of course You're right zEitEr, my paranoid statement is true only if no suPHP is used and roundcube's files have non-standard ownership, like webapps:access or/and at least 644 permissions.
 
You must log in or register to reply here.
Back
Top