SOLVED Adding open_basedir for multiple users

JLafranca

Registered
Apr 26, 2018
4
1
3
Netherlands
cPanel Access Level
Reseller Owner
Dear all,

I am having some problems adding open_basedir for multiple users.

I am editing my file system_pool_defaults.yaml in /var/cpanel/ApachePHPFPM.
Where I am trying to add the following lines:

Code:
php_value_open_basedir: { name: ‘php_value[open_basedir]’, value: /home/[% username %]/public_html:/tmp:/var/cpanel/php/sessions/ea-php70:/home/[% username %]/public_html/tmp:/home/[% username %]/public_html/logs }
However, this does not seem to work, I am getting a 503 error.
Could you assist?

Best wishes,
Jeff
 

JLafranca

Registered
Apr 26, 2018
4
1
3
Netherlands
cPanel Access Level
Reseller Owner
Yes, I have, but I am under PHP-FPM, and I understood from other documentation, that the open_basedir tweak in WHM does not apply to that. Furthermore, I already had this option on, but after migrating to PHP-FPM, this became ineffective. :)
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,508
591
263
Houston
cPanel Access Level
DataCenter Provider
Hi,

We've actually been trying to test this on my test server using php-fpm as well and are experiencing issues getting open_basedir to be enabled globally the value added in the yaml file doesn't put out any errors for us but it also doesn't enable open_basedir. We did find that adding it to the /opt/cpanel/ea-phpXX/root/etc/php-fpm.conf file and restarting php-fpm did respect the change when rebuilding the php-fpm config it gets deleted.

I'd like to see if it would be possible for you to open a ticket for this (enabling open_basedir globally for php-fpm). If you can please use the link in my signature and update this thread with the ticket ID.

Thank you,
 

Ricky G.

Linux Technical Analyst I
Staff member
May 21, 2017
11
0
76
Houston Tx.
cPanel Access Level
Root Administrator
Just for future reference I wanted to provide the solution to this issue should anyone come across this thread.

The line shown below was added to the file "/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml"
Code:
php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]" }
Once that is added, you then need to rebuild your PHP-FPM configs which can be done with the command below.
Code:
/usr/local/cpanel/scripts/php_fpm_config --rebuild
Rebuilding the configuration will also restart PHP-FPM for you after it's done so the changes should go into effect immediately. You can check that the open_basedir directive was added to your users pools with the one liner below. This simply prints the number of files that contain the open_basedir directive in it.
Code:
grep -c open_basedir /opt/cpanel/ea-php70/root/etc/php-fpm.d/* | awk -F':' '{SUM+=$2}END{print SUM}'
If you wish to check that the directive is active with an account, the php script below can be added to a site and when accessed will print whether it's enabled or not.
PHP:
<?php
echo 'Open_basedir: ',(ini_get('open_basedir') ? 'Enabled' : 'Disabled');
?>
You can read more about how to make changes like these to your PHP-FPM system and user pool configurations at the links below.

PHP-FPM Configuration Template Locations

PHP-FPM System and User Pool Directives

Hope this helps!
 

abnet

Member
Feb 27, 2011
14
0
51
@Ricky G.

Thank you for providing that information.

Is this open_basedir change along with the disable_functions and user_ini a sufficient alternative to the: "Apache vhosts are not segmented or chroot()ed."

Thank you.
 

linuxman1

Member
Aug 25, 2017
9
0
1
Egypt
cPanel Access Level
Root Administrator
Just for future reference I wanted to provide the solution to this issue should anyone come across this thread.

The line shown below was added to the file "/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml"
Code:
php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]" }
Once that is added, you then need to rebuild your PHP-FPM configs which can be done with the command below.
Code:
/usr/local/cpanel/scripts/php_fpm_config --rebuild
Rebuilding the configuration will also restart PHP-FPM for you after it's done so the changes should go into effect immediately. You can check that the open_basedir directive was added to your users pools with the one liner below. This simply prints the number of files that contain the open_basedir directive in it.
Code:
grep -c open_basedir /opt/cpanel/ea-php70/root/etc/php-fpm.d/* | awk -F':' '{SUM+=$2}END{print SUM}'
If you wish to check that the directive is active with an account, the php script below can be added to a site and when accessed will print whether it's enabled or not.
PHP:
<?php
echo 'Open_basedir: ',(ini_get('open_basedir') ? 'Enabled' : 'Disabled');
?>
You can read more about how to make changes like these to your PHP-FPM system and user pool configurations at the links below.

PHP-FPM Configuration Template Locations

PHP-FPM System and User Pool Directives

Hope this helps!
Hi, Thanks for this solution, it works! Why Cpanel team not helping us more on securing our servers by including easy tools through WHM to do similar things like this?
 

linuxman1

Member
Aug 25, 2017
9
0
1
Egypt
cPanel Access Level
Root Administrator
Just for future reference I wanted to provide the solution to this issue should anyone come across this thread.

The line shown below was added to the file "/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml"
Code:
php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]" }
Once that is added, you then need to rebuild your PHP-FPM configs which can be done with the command below.
Code:
/usr/local/cpanel/scripts/php_fpm_config --rebuild
Rebuilding the configuration will also restart PHP-FPM for you after it's done so the changes should go into effect immediately. You can check that the open_basedir directive was added to your users pools with the one liner below. This simply prints the number of files that contain the open_basedir directive in it.
Code:
grep -c open_basedir /opt/cpanel/ea-php70/root/etc/php-fpm.d/* | awk -F':' '{SUM+=$2}END{print SUM}'
If you wish to check that the directive is active with an account, the php script below can be added to a site and when accessed will print whether it's enabled or not.
PHP:
<?php
echo 'Open_basedir: ',(ini_get('open_basedir') ? 'Enabled' : 'Disabled');
?>
You can read more about how to make changes like these to your PHP-FPM system and user pool configurations at the links below.

PHP-FPM Configuration Template Locations

PHP-FPM System and User Pool Directives

Hope this helps!
Also you should add tmp to openbase_dir restriction, so you allow apps like WordPress admins to upload images, they will need tmp folder for this issue, something like this I think will do,
php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]:[% homedir %]/tmp" }