Want to subscribe to topics you're interested in?
Become a Member

Security Sysadmin Should we enable open_base

Discussion in 'System Administration' started by EckyBrazzz, Aug 8, 2019.

  1. EckyBrazzz

    EckyBrazzz Active Member

    532
    112
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +203
    Local Time:
    3:06 PM
    1.17.x
    10.3.x
    I have some site that tell me to enable the php open_base path for security reasons.
    As far as I can see, CMM has this disabled.

    I Googled around and found "yes" we should enable it, but there are many others that thell "no".

    I would like to know what to do, and If we should not enable it or not system wide what we should place into the /usr/local/etc/php-fpm.conf file.

    Thanks from https://community.centminmod.com/misc/location-info?location=>>>>Click+here<<<<+++++i'm+nearby......
     
  2. eva2000

    eva2000 Administrator Staff Member

    41,080
    9,188
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,097
    Local Time:
    4:06 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    I've flipped and flopped over enable vs disabled by default for this and ended up as disabled as enabled doesn't 100% protect you since all sites on the server have access to files from other sites on Centmin Mod as their is no shared hosting/chroot/jail and php-fpm runs as same nginx user as nginx server anyway.

    But for limited protection, you enable it via include file at /usr/local/nginx/conf/php.conf there's a commented out fastcgi_param setting in there you can uncomment and restart nginx + php-fpm
     
  3. EckyBrazzz

    EckyBrazzz Active Member

    532
    112
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +203
    Local Time:
    3:06 PM
    1.17.x
    10.3.x
    heheh, @eva2000
    Ratings: +14,000 Nice number Guess it was me;)
     
    • Like Like x 1
  4. jcat

    jcat Member

    102
    16
    18
    Jun 21, 2015
    Ratings:
    +37
    Local Time:
    2:06 PM
    Any reason, by default, we don't set open_basedir to at least:

    Code:
    fastcgi_param PHP_ADMIN_VALUE open_basedir=/home/nginx/domains/:/usr/local/lib/php/:/tmp/;
    While this doesn't protect the domains from accessing each other, it does at least prevent PHP from seeing the filesystem? You see any issues arising from that?
     
  5. eva2000

    eva2000 Administrator Staff Member

    41,080
    9,188
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,097
    Local Time:
    4:06 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    that should be fine, though Centmin Mod already restricts it further to document_root of the vhost in /usr/local/nginx/conf/php.conf include file added to every generated Nginx vhost - commented out/disabled by default though
    Code (Text):
    #fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;


    I think only time issues come up is if php web app uses something like ffmpeg and folks set it to path where ffmpeg is installed which may be outside of nginx vhost path so open_basedir errors are reported. Of course folks can download ffmpeg static binary into their own nginx vhost path and reference them but they'd need to know how to do that. Most web app/manuals just instruct them to enter path to ffmpeg. In the context of wordpress I guess imagemagick convert and other command/binaries would be in same position as ffmpeg would be if open_basedir was enabled.
     
    Last edited: Aug 10, 2019
  6. EckyBrazzz

    EckyBrazzz Active Member

    532
    112
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +203
    Local Time:
    3:06 PM
    1.17.x
    10.3.x
    I don't know why, but when I enable it, my wp-site has some difficulties ... and HetxrixTools gives OFFLINE...:banghead:
     
  7. eva2000

    eva2000 Administrator Staff Member

    41,080
    9,188
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,097
    Local Time:
    4:06 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Error messages ?
     
  8. EckyBrazzz

    EckyBrazzz Active Member

    532
    112
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +203
    Local Time:
    3:06 PM
    1.17.x
    10.3.x
    This site expireces some difficutlites or so is the message on the site... Ngninx -t and nprestart all normal.

    But I have some strange issues. I have a Plagiarism checker X, and on a site it works, another it's blocked.... Real strange, same theme, same layout.....
     
  9. jcat

    jcat Member

    102
    16
    18
    Jun 21, 2015
    Ratings:
    +37
    Local Time:
    2:06 PM
    When you use

    open_basedir=$document_root/: ?

    Code:
    grep open_basedir /var/log/php-fpm/www-php.error.log
     
  10. eva2000

    eva2000 Administrator Staff Member

    41,080
    9,188
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,097
    Local Time:
    4:06 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    If you enable open_basedir, the triggered log entries are considered Nginx errors not php-fpm as they'd set in php.conf include file so in your /home/nginx/domains/domain.com/log/error.log logs or rotated logs
    Code (Text):
    grep -rin 'open_basedir' /home/nginx/domains/domain.com/log/error.log*


    Code (Text):
    grep -rin 'open_basedir' 
    
    error.log-20190810:38:2019/08/10 02:42:54 [error] 21079#21079: *1 FastCGI sent in stderr: "PHP message: PHP Warning:  Unknown: open_basedir restriction in effect. File(/who.php) is not within the allowed path(s): (/home/nginx/domains/domain.com/public/:/usr/local/lib/php/:/tmp/) in Unknown on line 0