In Progress [CPANEL-26292] Set open_basedir and disable_functions to NULL for PECL

lukapaunovic

Well-Known Member
Jul 29, 2012
49
0
6
Užice, Serbia
cPanel Access Level
Root Administrator
Hi cPanel mods, please open case regarding this.

The current content of

/opt/cpanel/ea-phpXX/root/usr/bin/pecl

looks similar to this (varies per PHP version):

Code:
#!/bin/sh

exec /opt/cpanel/ea-phpXX/root/usr/bin/php -C \
    -d include_path=/usr/share/pear \
    -d date.timezone=UTC \
    -d output_buffering=1 \
    -d variables_order=EGPCS \
    -d safe_mode=0 \
    -d register_argc_argv="On" \
    /opt/cpanel/ea-phpXX/root/usr/share/pear/peclcmd.php "[email protected]"

As you see we already have safe_mode disabled if enabled, we need this for open_basedir and disable_functions too, otherwise, pecl won't work.
I modified the script, as can be seen bellow, I set open_basedir and disable_functions to NULL and my pecl works again. I believe this should be default as there are many people who define those two variables on their servers in order to protect their server

Code:
#!/bin/sh

exec /opt/cpanel/ea-phpXX/root/usr/bin/php -C \
    -d include_path=/usr/share/pear \
    -d date.timezone=UTC \
    -d output_buffering=1 \
    -d variables_order=EGPCS \
    -d safe_mode=0 \
    -d register_argc_argv="On" \
    -d open_basedir=NULL \
    -d disable_functions=NULL \
    /opt/cpanel/ea-phpXX/root/usr/share/pear/peclcmd.php "[email protected]"
I spent some time figuring out why pecl is not working and it was because of my strict open_basedir and disable_functions values.

This needs to be implemented ASAP.
Thank you
 
Last edited:

lukapaunovic

Well-Known Member
Jul 29, 2012
49
0
6
Užice, Serbia
cPanel Access Level
Root Administrator
ello @vacancy, this is unrelated to this post.
I'm talking here about Module Installer -> PHP Pecl installer or when you manually run pecl for specific PHP version like:

Code:
/opt/cpanel/ea-phpXX/root/usr/bin/pecl install imagick
If you have defined open_basedir to e.g.:

Code:
open_basedir = "/home:/tmp:/var/cpanel/php/sessions/ea-php72"
Like many admins do, pecl can't access /opt/cpanel/ea-php72 folder, and I doubt any of the sysadmins are aware to put /opt/cpanel/ea-php72 to allowed paths in basedir.

Which will make pecl not work, also if you have defined disable functions popen/proc_open pecl won't also work.
That's why setting these to NULL when running pecl is necessary.

@cPanelMichael please open case for this. Thanks.
 
Last edited:

lukapaunovic

Well-Known Member
Jul 29, 2012
49
0
6
Užice, Serbia
cPanel Access Level
Root Administrator
No, I just came here to report the issue.

Here is how to reproduce:

Open MultiPHP Ini editor for some PHP version in WHM, let's say 7.0

set disable_functions variable to
Code:
disable_functions = "pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,show_source,system,passthru,shell_exec,proc_open,popen,phpinfo"
Set open_basedir variable to

Code:
open_basedir = "/home:/tmp:/var/cpanel/php/sessions/ea-php70"
Now, try installing something via PECL for the version 7.0
You'll see the errors about open_basedir restriction (pecl unable to access /opt/cpanel/ea-php72), and afterward, the problems will arise because of popen disabled.

That's why it's required each of the /opt/cpanel/ea-phpXX/root/usr/bin/pecl
has these variables set to null so they don't interfere with PECL!

I hope i explained this, I can't do it better.
A regular user won't know how to troubleshoot this issue, and this will prevent many support requests being opened regarding this.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @lukapaunovic,

This case is an improvement request so updates to the case status may not occur as quickly as a typical defect report. I'll continue to monitor the case and update this thread with new information as it becomes available.

In the meantime, the temporary workaround is to set the open_basedir and disable_functions lines to NULL in the corresponding /opt/cpanel/ea-php$$/root/usr/bin/pecl files:

Code:
-d disable_functions=NULL \
-d open_basedir=NULL \
Thank you.