Want more timely Centmin Mod News Updates?
Become a Member

Security Sysadmin Should we enable open_base

Discussion in 'System Administration' started by EckyBrazzz, Aug 8, 2019.

  1. EckyBrazzz

    EckyBrazzz Active Member

    767
    153
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +280
    Local Time:
    11:40 PM
    1.17.x Cluster
    10.3.x Cluster & Redis
    I have some site that tell me to enable the php open_base path for security reasons.
    As far as I can see, CMM has this disabled.

    I Googled around and found "yes" we should enable it, but there are many others that thell "no".

    I would like to know what to do, and If we should not enable it or not system wide what we should place into the /usr/local/etc/php-fpm.conf file.

    Thanks from https://community.centminmod.com/misc/location-info?location=>>>>Click+here<<<<+++++i'm+nearby......
     
  2. eva2000

    eva2000 Administrator Staff Member

    42,268
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    12:40 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    I've flipped and flopped over enable vs disabled by default for this and ended up as disabled as enabled doesn't 100% protect you since all sites on the server have access to files from other sites on Centmin Mod as their is no shared hosting/chroot/jail and php-fpm runs as same nginx user as nginx server anyway.

    But for limited protection, you enable it via include file at /usr/local/nginx/conf/php.conf there's a commented out fastcgi_param setting in there you can uncomment and restart nginx + php-fpm
     
  3. EckyBrazzz

    EckyBrazzz Active Member

    767
    153
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +280
    Local Time:
    11:40 PM
    1.17.x Cluster
    10.3.x Cluster & Redis
    heheh, @eva2000
    Ratings: +14,000 Nice number Guess it was me;)
     
    • Like Like x 1
  4. jcat

    jcat Member

    114
    17
    18
    Jun 21, 2015
    Ratings:
    +44
    Local Time:
    9:40 PM
    Any reason, by default, we don't set open_basedir to at least:

    Code:
    fastcgi_param PHP_ADMIN_VALUE open_basedir=/home/nginx/domains/:/usr/local/lib/php/:/tmp/;
    While this doesn't protect the domains from accessing each other, it does at least prevent PHP from seeing the filesystem? You see any issues arising from that?
     
  5. eva2000

    eva2000 Administrator Staff Member

    42,268
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    12:40 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    that should be fine, though Centmin Mod already restricts it further to document_root of the vhost in /usr/local/nginx/conf/php.conf include file added to every generated Nginx vhost - commented out/disabled by default though
    Code (Text):
    #fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;


    I think only time issues come up is if php web app uses something like ffmpeg and folks set it to path where ffmpeg is installed which may be outside of nginx vhost path so open_basedir errors are reported. Of course folks can download ffmpeg static binary into their own nginx vhost path and reference them but they'd need to know how to do that. Most web app/manuals just instruct them to enter path to ffmpeg. In the context of wordpress I guess imagemagick convert and other command/binaries would be in same position as ffmpeg would be if open_basedir was enabled.
     
    Last edited: Aug 10, 2019
  6. EckyBrazzz

    EckyBrazzz Active Member

    767
    153
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +280
    Local Time:
    11:40 PM
    1.17.x Cluster
    10.3.x Cluster & Redis
    I don't know why, but when I enable it, my wp-site has some difficulties ... and HetxrixTools gives OFFLINE...:banghead:
     
  7. eva2000

    eva2000 Administrator Staff Member

    42,268
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    12:40 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Error messages ?
     
  8. EckyBrazzz

    EckyBrazzz Active Member

    767
    153
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +280
    Local Time:
    11:40 PM
    1.17.x Cluster
    10.3.x Cluster & Redis
    This site expireces some difficutlites or so is the message on the site... Ngninx -t and nprestart all normal.

    But I have some strange issues. I have a Plagiarism checker X, and on a site it works, another it's blocked.... Real strange, same theme, same layout.....
     
  9. jcat

    jcat Member

    114
    17
    18
    Jun 21, 2015
    Ratings:
    +44
    Local Time:
    9:40 PM
    When you use

    open_basedir=$document_root/: ?

    Code:
    grep open_basedir /var/log/php-fpm/www-php.error.log
     
  10. eva2000

    eva2000 Administrator Staff Member

    42,268
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    12:40 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    If you enable open_basedir, the triggered log entries are considered Nginx errors not php-fpm as they'd set in php.conf include file so in your /home/nginx/domains/domain.com/log/error.log logs or rotated logs
    Code (Text):
    grep -rin 'open_basedir' /home/nginx/domains/domain.com/log/error.log*


    Code (Text):
    grep -rin 'open_basedir' 
    
    error.log-20190810:38:2019/08/10 02:42:54 [error] 21079#21079: *1 FastCGI sent in stderr: "PHP message: PHP Warning:  Unknown: open_basedir restriction in effect. File(/who.php) is not within the allowed path(s): (/home/nginx/domains/domain.com/public/:/usr/local/lib/php/:/tmp/) in Unknown on line 0
    
     
  11. jcat

    jcat Member

    114
    17
    18
    Jun 21, 2015
    Ratings:
    +44
    Local Time:
    9:40 PM
    Sigh, I feel the only way open_basedir will ever work properly is with separating the PHP pools.

    Code:
    # grep 'Unable to open primary script' error.log-20190822 | tail -1
    2019/08/21 10:57:56 [error] 445138#445138: *17099515 FastCGI sent in stderr: "Unable to open primary script: /home/nginx/domains/domain2.com/public/wp-admin/admin-ajax.php (Operation not permitted)" while reading response header from upstream, client: 98.221.218.134, server: domain2.com, request: "POST /wp-admin/admin-ajax.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "domain2.com", referrer: "https://domain2.com/wp-admin/post.php?post=38745&action=edit"
    Code:
    [21-Aug-2019 15:57:56 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/home/nginx/domains/domain2.com/public/wp-admin/admin-ajax.php) is not within the allowed path(s): (/home/nginx/domains/domain1.com/public/:/usr/local/lib/php/:/tmp/) in Unknown on line 0
    
    Makes 0 sense why one domain is trying to access another.. Seen this just about everytime we turn on open_basedir protection, I think its just a bug but the way we use it with one php pool is very rare so maybe never reported? not sure
     
  12. eva2000

    eva2000 Administrator Staff Member

    42,268
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    12:40 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    are you using open_basedir parameters that are commented out usually with $document_root or are you using your previously posted one level above document root (/public) parameters ?
    Code (Text):
    fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;
    

    or
    Code (Text):
    fastcgi_param PHP_ADMIN_VALUE open_basedir=/home/nginx/domains/:/usr/local/lib/php/:/tmp/;
    

    though there is no reason why one domain vhost installed php is trying to access another domain's vhost installed wordpress/php.
     
  13. jcat

    jcat Member

    114
    17
    18
    Jun 21, 2015
    Ratings:
    +44
    Local Time:
    9:40 PM
    This works fine

    This is problematic, and yeah it makes no sense which is why I think there is some kind of bug.
     
  14. eva2000

    eva2000 Administrator Staff Member

    42,268
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    12:40 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Ok will need to investigate that :)