Overview

By default, open_basedir restrictions are in place on the (gs) Grid-Service. These keep scripts in one directory from being able to affect scripts in another directory, which is an important security feature. Basically, if one of your domains gets hacked, open_basedir prevents the infection from spreading to another domain on the same account.

The open_basedir function defines the locations or paths from which PHP is allowed to access files using functions like fopen() and gzopen(). If a file is outside of the paths defined by open_basedir, PHP will refuse to open it.

Requirements

Before you start, you should be familiar with and/or have handy:

• Use of a plain text editor.
• FTP
• Editing the php.ini file.
• Your site number.

To change the default of this variable, you'll need root access enabled.

Symptoms

If your application is trying to open a file that is not in your open_basedir allowed directory, you will get an error like this, or something similar:

Warning: include_once() [function.include-once]: open_basedir restriction in effect. File(/nfs/c00/h00/mnt/00000/domains/gs-example.com/html/include.php) is not within the allowed path(s): (/home/00000/domains/example.com/html/) in /nfs/c00/h00/mnt/00000/domains/gs-example.com/html/index.php on line 10

Here's the error without all the long paths, so you know what to look for:

Warning: open_basedir restriction in effect. File(example.php) is not within the allowed path(s)

Instructions

1. Open your php.ini file and add or edit the following line:

   Filename: php.ini

   open_basedir = "/path/to/first/folder:/path/to/second/folder"

   Notes on this file:

   • Make sure you always include the path to your html directory and your local /home/00000/data/tmp/ directory. Just /tmp/ will work too, but you have less control over that directory.
   • Do not use paths that look like nfs/c00/h00/mnt/. Use /home/00000/ plus the rest of your path (where 00000 is your site number).
   • For information on how to edit the php.ini file, please see: How can I edit the php.ini file?

   CAUTION:

   Make sure you do not use a path that is too broad, such as /home/00000/ by itself - this will allow all directories to access each other, and is a security risk.

2. Upload the php.ini file to the etc directory via FTP.
3. Once you've uploaded the php.ini file, refresh your page. If you have listed all the necessary paths, you should no longer see the open_basedir error.

Here's how to set open_basedir on a domain:

1. SSH into your Plesk machine as root and cd to the conf directory for the domain on which you want to modify open_basedir. Something like this should work:

    

   cd /var/www/vhosts/example.com/conf/

   cd /var/www/vhosts/example.com/conf/

2. Create a file called vhost.conf with the following contents:

   NOTE:

   If you would like to use open_basedir via https, follow the instructions below but create vhost_ssl.conf instead of vhost.conf. If you would like to enable this for subdomains, you must create the appropriate vhost.conf files for all subdomains that you need and then reconfigure the main vhost.conf file.

   vi vhost.conf

   For (dv) Dedicated-Virtual Server 3.x systems:

   <Directory "/var/www/vhosts/example.com/httpdocs">
   php_admin_value open_basedir "/var/www/vhosts/example.com/httpdocs/:/tmp/:/path/to/first/folder/:/path/to/second/folder/"
   php_admin_value include_path "/var/www/vhosts/example.com/httpdocs/:/tmp/:/path/to/first/folder/:/path/to/second/folder/"
   </Directory>
   

   For (dv) Dedicated-Virtual Server 4.0 systems:

   For your "primary domain" -- this is the primary domain of the subscription in Plesk and not the primary domain as we normally refer to it regarding the service:

   <Directory "/var/www/vhosts/example.com/httpdocs">
   php_admin_value open_basedir "/var/www/vhosts/example.com/httpdocs/:/tmp/:/path/to/first/folder/:/path/to/second/folder/"
   php_admin_value include_path "/var/www/vhosts/example.com/httpdocs/:/tmp/:/path/to/first/folder/:/path/to/second/folder/"
   </Directory>
   

   For any additional domains on your (dv) 4.0, this would be for domains on the same subscription in Plesk.

   <Directory "DOCUMENTROOT">
     php_admin_value open_basedir "DOCUMENTROOT:/tmp/:/path/to/first/folder/:/path/to/second/folder/"
     php_admin_value open_basedir "DOCUMENTROOT:/tmp/:/path/to/first/folder/:/path/to/second/folder/"
   </Directory>

   You can obtain what the document root actually is with the following command:

   cd /var/www/vhosts/example.com/conf && ls -tcr *httpd.include | tail -1 | xargs grep -m 1 DocumentRoot

   TIP:

   If you want to switch off safe_mode on a per domain basis, you can add the following line:

   php_admin_value safe_mode Off

   NOTE:

   While this is not advised, you can also disable open_basedir for the website by adding the following line to the vhost.conf file:

   php_admin_value open_basedir none

   php_admin_value open_basedir none

3. Reconfigure your webserver so it will look for your new vhost.conf file by doing this:
   

   /usr/local/psa/admin/sbin/websrvmng --reconfigure-vhost --vhost-name=example.com

4. Reconfigure your webserver so it will look for your new vhost.conf file by doing this:
   

   /usr/local/psa/admin/sbin/httpdmng --reconfigure-domain example.com

5. Finally, you must restart Apache, this can be done through Plesk or by executing the following commands:

   /etc/init.d/httpd stop
   /etc/init.d/httpd start

Resources

• PHP Core Directives: open_basedir
• (dv) 4.0:Resolve FastCGI issues: Changes Required Per Site: PHP Directives, Timezone