Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM66 and open_basedir issues with session.save_path

Discussion in 'Security' started by Routes, Sep 7, 2017.

Tags:
  1. Routes

    Routes Member

    Joined:
    Aug 5, 2016
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Austria
    cPanel Access Level:
    Root Administrator
    Hi,

    in one of the last updates the session.save_path was changed to /var/cpanel/php/sessions/ea-php<version>.
    Now I realized that my php error log is full of open_basedir errors like
    PHP Warning: Unknown: open_basedir restriction in effect. File(/var/cpanel/php/sessions/ea-php70) is not within the allowed path(s):

    I am using MPM Event with php-fpm (non-jailed apache) and my open_basedir was always set to <website-root-dir>:/usr/lib/php:/usr/local/lib/php:/tmp

    As this was changed from /tmp I would have to extend my open_basedir with /var/cpanel/php/sessions/ea-php<version>

    Am I right with this conclusion??

    Or change the session.save_path in the /var/cpanel/userdata/<user> yaml files? What would you recommend as approach?

    Thanks!
     
    #1 Routes, Sep 7, 2017
    Last edited: Sep 7, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,165
    Likes Received:
    1,371
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    We actually have an internal case open (EA-5664) to address an issue where enabling PHP open_basedir in EasyApache 4 does not work due to the use of incorrect paths (it still uses the ones associated with EasyApache 3). As a workaround, you'd need to manually update the paths so they reflect the updated session directory and to account for MultiPHP functionality (e.g. /opt/cpanel/ea-php56).

    Also, note the following quote from our PHP open_basedir Tweak document:

    Thank you.
     
  3. Routes

    Routes Member

    Joined:
    Aug 5, 2016
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Austria
    cPanel Access Level:
    Root Administrator
    Sorry but this is not exactly what I asked. Of course I know that I have to edit the yaml files on my own if using php-fpm because this is not working with the WHM "button", and this is also what I did.

    The question is : Should I set the session.save_path back to /tmp or should I leave the session.save_path at the "new" value /var/cpanel/php/sessions.... and extend my open_basedir in the yaml file? I understand it like update the paths in the yaml file to the new paths, right?

    Manually I have to do it anyway, EasyApache 4 or not, it is even not enough to edit the php.ini file because it does not do anything, you have to edit the yaml files and rebuild the configuration, that's the only way to add open_basedir with php-fpm I found.

    and can I remove /tmp then from the open_basedir paths or not?
     
    #3 Routes, Sep 7, 2017
    Last edited by a moderator: Sep 8, 2017
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,165
    Likes Received:
    1,371
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    I recommend leaving the new PHP session paths enabled, and updating your open_basedir paths to reflect the new directory.

    Yes, you can remove the /tmp directory from the allowed paths in this case since PHP sessions are no longer stored there.

    Thank you.
     
  5. Routes

    Routes Member

    Joined:
    Aug 5, 2016
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Austria
    cPanel Access Level:
    Root Administrator
    That seems to work, thanks!
     
    cPanelMichael likes this.
Loading...

Share This Page