In Progress [CPANEL-26292] Set open_basedir and disable_functions to NULL for PECL

[lukapaunovic]

Hi cPanel mods, please open case regarding this.

The current content of

/opt/cpanel/ea-phpXX/root/usr/bin/pecl

looks similar to this (varies per PHP version):

#!/bin/sh

exec /opt/cpanel/ea-phpXX/root/usr/bin/php -C \
    -d include_path=/usr/share/pear \
    -d date.timezone=UTC \
    -d output_buffering=1 \
    -d variables_order=EGPCS \
    -d safe_mode=0 \
    -d register_argc_argv="On" \
    /opt/cpanel/ea-phpXX/root/usr/share/pear/peclcmd.php "[email protected]"

As you see we already have safe_mode disabled if enabled, we need this for open_basedir and disable_functions too, otherwise, pecl won't work.
I modified the script, as can be seen bellow, I set open_basedir and disable_functions to NULL and my pecl works again. I believe this should be default as there are many people who define those two variables on their servers in order to protect their server

#!/bin/sh

exec /opt/cpanel/ea-phpXX/root/usr/bin/php -C \
    -d include_path=/usr/share/pear \
    -d date.timezone=UTC \
    -d output_buffering=1 \
    -d variables_order=EGPCS \
    -d safe_mode=0 \
    -d register_argc_argv="On" \
    -d open_basedir=NULL \
    -d disable_functions=NULL \
    /opt/cpanel/ea-phpXX/root/usr/share/pear/peclcmd.php "[email protected]"

I spent some time figuring out why pecl is not working and it was because of my strict open_basedir and disable_functions values.

This needs to be implemented ASAP.
Thank you

 

[vacancy]

Enabling PHP-FPM forces disable_functions
How to Manage Your php.ini Directives with PHP-FPM - cPanel Knowledge Base - cPanel Documentation

 

[lukapaunovic]

ello @vacancy, this is unrelated to this post.
I'm talking here about Module Installer -> PHP Pecl installer or when you manually run pecl for specific PHP version like:

/opt/cpanel/ea-phpXX/root/usr/bin/pecl install imagick

If you have defined open_basedir to e.g.:

open_basedir = "/home:/tmp:/var/cpanel/php/sessions/ea-php72"

Like many admins do, pecl can't access /opt/cpanel/ea-php72 folder, and I doubt any of the sysadmins are aware to put /opt/cpanel/ea-php72 to allowed paths in basedir.

Which will make pecl not work, also if you have defined disable functions popen/proc_open pecl won't also work.
That's why setting these to NULL when running pecl is necessary.

@cPanelMichael please open case for this. Thanks.

 

[cPanelMichael]

Hello @lukapaunovic,

Can you open a support ticket so we can take a closer look and reproduce the issue on an affected system? You can post the ticket number here and we'll link this thread to it.

Thank you.

 

[lukapaunovic]

No, I just came here to report the issue.

Here is how to reproduce:

Open MultiPHP Ini editor for some PHP version in WHM, let's say 7.0

set disable_functions variable to

disable_functions = "pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,show_source,system,passthru,shell_exec,proc_open,popen,phpinfo"

Set open_basedir variable to

open_basedir = "/home:/tmp:/var/cpanel/php/sessions/ea-php70"

Now, try installing something via PECL for the version 7.0
You'll see the errors about open_basedir restriction (pecl unable to access /opt/cpanel/ea-php72), and afterward, the problems will arise because of popen disabled.

That's why it's required each of the /opt/cpanel/ea-phpXX/root/usr/bin/pecl
has these variables set to null so they don't interfere with PECL!

I hope i explained this, I can't do it better.
A regular user won't know how to troubleshoot this issue, and this will prevent many support requests being opened regarding this.

 

[cPanelMichael]

Hello @lukapaunovic,

I've reported this as part of internal case CPANEL-26292. I'll update this thread with more information on the status of this case as it becomes available.

Thank you.

 

[lukapaunovic]

Come one @cPanelMichael fix this already
It's just two lines to override basdir and disable functions when pecl is running!

 

[cPanelMichael]

Hello @lukapaunovic,

This case is an improvement request so updates to the case status may not occur as quickly as a typical defect report. I'll continue to monitor the case and update this thread with new information as it becomes available.

In the meantime, the temporary workaround is to set the open_basedir and disable_functions lines to NULL in the corresponding /opt/cpanel/ea-php$$/root/usr/bin/pecl files:

-d disable_functions=NULL \
-d open_basedir=NULL \

Thank you.