Security Sysadmin Should we enable open_base

I've flipped and flopped over enable vs disabled by default for this and ended up as disabled as enabled doesn't 100% protect you since all sites on the server have access to files from other sites on Centmin Mod as their is no shared hosting/chroot/jail and php-fpm runs as same nginx user as nginx server anyway.

But for limited protection, you enable it via include file at /usr/local/nginx/conf/php.conf there's a commented out fastcgi_param setting in there you can uncomment and restart nginx + php-fpm

 

that should be fine, though Centmin Mod already restricts it further to document_root of the vhost in /usr/local/nginx/conf/php.conf include file added to every generated Nginx vhost - commented out/disabled by default though

Code (Text):

#fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;

I think only time issues come up is if php web app uses something like ffmpeg and folks set it to path where ffmpeg is installed which may be outside of nginx vhost path so open_basedir errors are reported. Of course folks can download ffmpeg static binary into their own nginx vhost path and reference them but they'd need to know how to do that. Most web app/manuals just instruct them to enter path to ffmpeg. In the context of wordpress I guess imagemagick convert and other command/binaries would be in same position as ffmpeg would be if open_basedir was enabled.

 

Error messages ?

 

If you enable open_basedir, the triggered log entries are considered Nginx errors not php-fpm as they'd set in php.conf include file so in your /home/nginx/domains/domain.com/log/error.log logs or rotated logs

Code (Text):

grep -rin 'open_basedir' /home/nginx/domains/domain.com/log/error.log*

Code (Text):

grep -rin 'open_basedir' 

error.log-20190810:38:2019/08/10 02:42:54 [error] 21079#21079: *1 FastCGI sent in stderr: "PHP message: PHP Warning:  Unknown: open_basedir restriction in effect. File(/who.php) is not within the allowed path(s): (/home/nginx/domains/domain.com/public/:/usr/local/lib/php/:/tmp/) in Unknown on line 0

 

are you using open_basedir parameters that are commented out usually with $document_root or are you using your previously posted one level above document root (/public) parameters ?

Code (Text):

fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;

or

Code (Text):

fastcgi_param PHP_ADMIN_VALUE open_basedir=/home/nginx/domains/:/usr/local/lib/php/:/tmp/;

though there is no reason why one domain vhost installed php is trying to access another domain's vhost installed wordpress/php.

 

Ok will need to investigate that