SOLVED Adding open_basedir for multiple users

JLafranca · Apr 26, 2018

Dear all,

I am having some problems adding open_basedir for multiple users.

I am editing my file system_pool_defaults.yaml in /var/cpanel/ApachePHPFPM.
Where I am trying to add the following lines:

Code:

php_value_open_basedir: { name: ‘php_value[open_basedir]’, value: /home/[% username %]/public_html:/tmp:/var/cpanel/php/sessions/ea-php70:/home/[% username %]/public_html/tmp:/home/[% username %]/public_html/logs }

However, this does not seem to work, I am getting a 503 error.
Could you assist?

Best wishes,
Jeff

cPanelLauren · Apr 26, 2018

Hello,

Have you checked out our documentation on this here: PHP open_basedir Tweak - Version 68 Documentation - cPanel Documentation

JLafranca · Apr 26, 2018

Yes, I have, but I am under PHP-FPM, and I understood from other documentation, that the open_basedir tweak in WHM does not apply to that. Furthermore, I already had this option on, but after migrating to PHP-FPM, this became ineffective.

cPanelLauren · Apr 26, 2018

Hi,

We've actually been trying to test this on my test server using php-fpm as well and are experiencing issues getting open_basedir to be enabled globally the value added in the yaml file doesn't put out any errors for us but it also doesn't enable open_basedir. We did find that adding it to the /opt/cpanel/ea-phpXX/root/etc/php-fpm.conf file and restarting php-fpm did respect the change when rebuilding the php-fpm config it gets deleted.

I'd like to see if it would be possible for you to open a ticket for this (enabling open_basedir globally for php-fpm). If you can please use the link in my signature and update this thread with the ticket ID.

Thank you,

JLafranca · Apr 28, 2018

Thanks for your help so far, I managed to open a ticket.

Your Support Request ID is: 9475831

Ricky G. · Apr 29, 2018

Just for future reference I wanted to provide the solution to this issue should anyone come across this thread.

The line shown below was added to the file "/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml"

Code:

php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]" }

Once that is added, you then need to rebuild your PHP-FPM configs which can be done with the command below.

Code:

/usr/local/cpanel/scripts/php_fpm_config --rebuild

Rebuilding the configuration will also restart PHP-FPM for you after it's done so the changes should go into effect immediately. You can check that the open_basedir directive was added to your users pools with the one liner below. This simply prints the number of files that contain the open_basedir directive in it.

Code:

grep -c open_basedir /opt/cpanel/ea-php70/root/etc/php-fpm.d/* | awk -F':' '{SUM+=$2}END{print SUM}'

If you wish to check that the directive is active with an account, the php script below can be added to a site and when accessed will print whether it's enabled or not.

PHP:

<?php
echo 'Open_basedir: ',(ini_get('open_basedir') ? 'Enabled' : 'Disabled');
?>

You can read more about how to make changes like these to your PHP-FPM system and user pool configurations at the links below.

PHP-FPM Configuration Template Locations

PHP-FPM System and User Pool Directives

Hope this helps!

cPanelLauren · Apr 30, 2018

@Ricky G. thanks for providing the solution!

abnet · Apr 6, 2019

@Ricky G.

Thank you for providing that information.

Is this open_basedir change along with the disable_functions and user_ini a sufficient alternative to the: "Apache vhosts are not segmented or chroot()ed."

Thank you.

linuxman1 · Sep 29, 2019

Ricky G. said:
Just for future reference I wanted to provide the solution to this issue should anyone come across this thread.

The line shown below was added to the file "/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml"

Code:

php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]" }

Once that is added, you then need to rebuild your PHP-FPM configs which can be done with the command below.

Code:

/usr/local/cpanel/scripts/php_fpm_config --rebuild

Rebuilding the configuration will also restart PHP-FPM for you after it's done so the changes should go into effect immediately. You can check that the open_basedir directive was added to your users pools with the one liner below. This simply prints the number of files that contain the open_basedir directive in it.

Code:

grep -c open_basedir /opt/cpanel/ea-php70/root/etc/php-fpm.d/* | awk -F':' '{SUM+=$2}END{print SUM}'

If you wish to check that the directive is active with an account, the php script below can be added to a site and when accessed will print whether it's enabled or not.

PHP:

<?php echo 'Open_basedir: ',(ini_get('open_basedir') ? 'Enabled' : 'Disabled'); ?>

You can read more about how to make changes like these to your PHP-FPM system and user pool configurations at the links below.

PHP-FPM Configuration Template Locations

PHP-FPM System and User Pool Directives

Hope this helps!

Hi, Thanks for this solution, it works! Why Cpanel team not helping us more on securing our servers by including easy tools through WHM to do similar things like this?

linuxman1 · Sep 30, 2019

Ricky G. said:
Just for future reference I wanted to provide the solution to this issue should anyone come across this thread.

The line shown below was added to the file "/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml"

Code:

php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]" }

Once that is added, you then need to rebuild your PHP-FPM configs which can be done with the command below.

Code:

/usr/local/cpanel/scripts/php_fpm_config --rebuild

Rebuilding the configuration will also restart PHP-FPM for you after it's done so the changes should go into effect immediately. You can check that the open_basedir directive was added to your users pools with the one liner below. This simply prints the number of files that contain the open_basedir directive in it.

Code:

grep -c open_basedir /opt/cpanel/ea-php70/root/etc/php-fpm.d/* | awk -F':' '{SUM+=$2}END{print SUM}'

If you wish to check that the directive is active with an account, the php script below can be added to a site and when accessed will print whether it's enabled or not.

PHP:

<?php echo 'Open_basedir: ',(ini_get('open_basedir') ? 'Enabled' : 'Disabled'); ?>

You can read more about how to make changes like these to your PHP-FPM system and user pool configurations at the links below.

PHP-FPM Configuration Template Locations

PHP-FPM System and User Pool Directives

Hope this helps!

Also you should add tmp to openbase_dir restriction, so you allow apps like WordPress admins to upload images, they will need tmp folder for this issue, something like this I think will do,
php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]:[% homedir %]/tmp" }

Thread starter	Similar threads	Forum	Replies	Date
J	Adding additional hard drives for accounts?	Workarounds and Optimization	3	Jun 20, 2019
	Adding Extra Block Storage to Server Question	Workarounds and Optimization	11	Jul 1, 2017
	suPHP, open_basedir, and Multi PHP via EA4...together for improved security	Workarounds and Optimization	5	May 5, 2016
M	Adding a new partition to an existing drive	Workarounds and Optimization	15	Feb 29, 2016
S	adding vCPU's	Workarounds and Optimization	1	Apr 24, 2012

Search

Search

SOLVED Adding open_basedir for multiple users

JLafranca

Registered

cPanelLauren

Forums Analyst II

JLafranca

Registered

cPanelLauren

Forums Analyst II

JLafranca

Registered

Ricky G.

Linux Technical Analyst I

cPanelLauren

Forums Analyst II

abnet

Member

linuxman1

Member

linuxman1

Member