SOLVED Adding open_basedir for multiple users

[JLafranca]

Dear all,

I am having some problems adding open_basedir for multiple users.

I am editing my file system_pool_defaults.yaml in /var/cpanel/ApachePHPFPM.
Where I am trying to add the following lines:

php_value_open_basedir: { name: ‘php_value[open_basedir]’, value: /home/[% username %]/public_html:/tmp:/var/cpanel/php/sessions/ea-php70:/home/[% username %]/public_html/tmp:/home/[% username %]/public_html/logs }

However, this does not seem to work, I am getting a 503 error.
Could you assist?

Best wishes,
Jeff

 

[cPanelLauren]

Hello,


Have you checked out our documentation on this here: PHP open_basedir Tweak - Version 68 Documentation - cPanel Documentation

 

[JLafranca]

Yes, I have, but I am under PHP-FPM, and I understood from other documentation, that the open_basedir tweak in WHM does not apply to that. Furthermore, I already had this option on, but after migrating to PHP-FPM, this became ineffective.

 

[cPanelLauren]

Hi,

We've actually been trying to test this on my test server using php-fpm as well and are experiencing issues getting open_basedir to be enabled globally the value added in the yaml file doesn't put out any errors for us but it also doesn't enable open_basedir. We did find that adding it to the /opt/cpanel/ea-phpXX/root/etc/php-fpm.conf file and restarting php-fpm did respect the change when rebuilding the php-fpm config it gets deleted.

I'd like to see if it would be possible for you to open a ticket for this (enabling open_basedir globally for php-fpm). If you can please use the link in my signature and update this thread with the ticket ID.

Thank you,

 

[JLafranca]

Thanks for your help so far, I managed to open a ticket.

Your Support Request ID is: 9475831

 

[Ricky G.]

Just for future reference I wanted to provide the solution to this issue should anyone come across this thread.

The line shown below was added to the file "/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml"

php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]" }

Once that is added, you then need to rebuild your PHP-FPM configs which can be done with the command below.

/usr/local/cpanel/scripts/php_fpm_config --rebuild

Rebuilding the configuration will also restart PHP-FPM for you after it's done so the changes should go into effect immediately. You can check that the open_basedir directive was added to your users pools with the one liner below. This simply prints the number of files that contain the open_basedir directive in it.

grep -c open_basedir /opt/cpanel/ea-php70/root/etc/php-fpm.d/* | awk -F':' '{SUM+=$2}END{print SUM}'

If you wish to check that the directive is active with an account, the php script below can be added to a site and when accessed will print whether it's enabled or not.

<?php
echo 'Open_basedir: ',(ini_get('open_basedir') ? 'Enabled' : 'Disabled');
?>

You can read more about how to make changes like these to your PHP-FPM system and user pool configurations at the links below.

PHP-FPM Configuration Template Locations

PHP-FPM System and User Pool Directives

Hope this helps!

 

[cPanelLauren]

@Ricky G. thanks for providing the solution!

 

[abnet]

@Ricky G.

Thank you for providing that information.

Is this open_basedir change along with the disable_functions and user_ini a sufficient alternative to the: "Apache vhosts are not segmented or chroot()ed."

Thank you.

 

[linuxman1]

Just for future reference I wanted to provide the solution to this issue should anyone come across this thread.

The line shown below was added to the file "/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml"

php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]" }

Once that is added, you then need to rebuild your PHP-FPM configs which can be done with the command below.

/usr/local/cpanel/scripts/php_fpm_config --rebuild

Rebuilding the configuration will also restart PHP-FPM for you after it's done so the changes should go into effect immediately. You can check that the open_basedir directive was added to your users pools with the one liner below. This simply prints the number of files that contain the open_basedir directive in it.

grep -c open_basedir /opt/cpanel/ea-php70/root/etc/php-fpm.d/* | awk -F':' '{SUM+=$2}END{print SUM}'

If you wish to check that the directive is active with an account, the php script below can be added to a site and when accessed will print whether it's enabled or not.

<?php
echo 'Open_basedir: ',(ini_get('open_basedir') ? 'Enabled' : 'Disabled');
?>

You can read more about how to make changes like these to your PHP-FPM system and user pool configurations at the links below.

PHP-FPM Configuration Template Locations

PHP-FPM System and User Pool Directives

Hope this helps!

Hi, Thanks for this solution, it works! Why Cpanel team not helping us more on securing our servers by including easy tools through WHM to do similar things like this?

 

[linuxman1]

Just for future reference I wanted to provide the solution to this issue should anyone come across this thread.

The line shown below was added to the file "/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml"

php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]" }

Once that is added, you then need to rebuild your PHP-FPM configs which can be done with the command below.

/usr/local/cpanel/scripts/php_fpm_config --rebuild

Rebuilding the configuration will also restart PHP-FPM for you after it's done so the changes should go into effect immediately. You can check that the open_basedir directive was added to your users pools with the one liner below. This simply prints the number of files that contain the open_basedir directive in it.

grep -c open_basedir /opt/cpanel/ea-php70/root/etc/php-fpm.d/* | awk -F':' '{SUM+=$2}END{print SUM}'

If you wish to check that the directive is active with an account, the php script below can be added to a site and when accessed will print whether it's enabled or not.

<?php
echo 'Open_basedir: ',(ini_get('open_basedir') ? 'Enabled' : 'Disabled');
?>

You can read more about how to make changes like these to your PHP-FPM system and user pool configurations at the links below.

PHP-FPM Configuration Template Locations

PHP-FPM System and User Pool Directives

Hope this helps!

Also you should add tmp to openbase_dir restriction, so you allow apps like WordPress admins to upload images, they will need tmp folder for this issue, something like this I think will do,
php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]:[% homedir %]/tmp" }