Support / KnowledgeBase

 
Search the KnowledgeBase Search

How do I set the path for open_basedir?

  • Applies to: (dv) 3.5, (dv) 4.0, (gs)

  • Difficulty: Easy

  • Time needed: 10 minutes

  • Tools needed: SSH, root access, vi knowledge or Plain text editor, FTP client or AccountCenter access

 
  • Applies to: (gs)
    • Difficulty: Medium
    • Time Needed: 10
    • Tools Required: Plain text editor, FTP client or AccountCenter access
  • Applies to: (dv) 4.0
    • Difficulty: Medium
    • Time Needed: 10
    • Tools Required: SSH, root access, vi knowledge
  • Applies to: (dv) 3.5
    • Difficulty: Medium
    • Time Needed: 10
    • Tools Required: SSH, root access, vi knowledge

Overview

By default, open_basedir restrictions are in place on the (gs) Grid-Service. These keep scripts in one directory from being able to affect scripts in another directory, which is an important security feature. Basically, if one of your domains gets hacked, open_basedir prevents the infection from spreading to another domain on the same account.

However, some applications need scripts in different directories to be able to affect each other. In this case, you can add extra allowed paths to the open_basedir rules for each domain.

PEAR is a framework and distribution system for reusable PHP components. It comes installed on your (dv) Dedicated-Virtual Server, but to enable it on one of your domains you'll have to change the default open_basedir variable.

The open_basedir function defines the locations or paths from which PHP is allowed to access files using functions like fopen() and gzopen(). If a file is outside of the paths defined by open_basdir, PHP will refuse to open it.

Requirements

Before you start, you should be familiar with:

To change the default of this variable, you'll need root access enabled.

End of Life Warning

This service has a pending End of Life. Please move to a current service as soon as possible. For more information, please see: (dv) Dedicated-Virtual 4.0: Migration Information.

READ ME FIRST

This article is provided as a courtesy. Installing, configuring, and troubleshooting third-party applications is outside the scope of support provided by (mt) Media Temple. Please take a moment to review the Statement of Support.

READ ME FIRST

Please be aware that the following changes in your vhost.conf file will take precedence over any settings you may have in your httpd.conf file.

This article is provided as a courtesy. Installing, configuring, and troubleshooting third-party applications is outside the scope of support provided by (mt) Media Temple. Please take a moment to review the Statement of Support.

Symptoms

If your application is trying to open a file that is not in your open_basedir allowed directory, you will get an error like this, or something similar:

Warning: include_once() [function.include-once]: open_basedir restriction in effect. File(/nfs/c00/h00/mnt/00000/domains/gs-example.com/html/include.php) is not within the allowed path(s): (/home/00000/domains/example.com/html/) in /nfs/c00/h00/mnt/00000/domains/gs-example.com/html/index.php on line 10

 

Here's the error without all the long paths, so you know what to look for:

Warning: open_basedir restriction in effect. File(example.php) is not within the allowed path(s)

 

Instructions

You can add additional paths to the allowed open_basedir by following these instructions:

  1. Create a .htaccess file with the following lines (or add these lines to an existing file):

    Filename: .htaccess

     

    php_value open_basedir /home/00000/domains/gs-example.com/html/:/home/00000/data/tmp/:/home/00000/domains/gs-example.com/application/

     

    Notes on this file:

    • Be sure to replace 00000 with your site number and gs-example.com with your domain name.
    • You can add as many paths as you want. Separate each path with a colon (:).
    • Make sure you always include the path to your html directory and your local /home/00000/data/tmp/ directory. Just /tmp/ will work too, but you have less control over that directory.
    • Check your error for any additional paths that need to be added. In the example above, the additional directory /home/00000/domains/gs-example.com/application/ has been added.
    • Do not use paths that look like nfs/c00/h00/mnt/. Use /home/00000/ plus the rest of your path (where 00000 is your site number).
    • For information on how to create a .htaccess file, please see: Using .htaccess files: Creating the .htaccess file.

    CAUTION:

    Make sure you do not use a path that is too broad, such as /home/00000/ by itself - this will allow all directories to access each other, and is a security risk.

  2. Upload the .htaccess file to the appropriate directory via FTP. In most cases, you can upload the .htaccess file to the html directory of the domain in question. However, you can also upload it to whatever directory contains the file that was trying to access restricted directories in the first place. This may be necessary if you use a Content Management System that overwrites the main .htaccess file periodically.
  3. Once you've uploaded the .htaccess file, refresh your page. If you have listed all the necessary paths, you should no longer see the open_basedir error.

Here's how to enable PEAR on a domain:

  1. SSH into your Plesk machine as root and cd to the conf directory for the domain on which you want to enable PEAR. Something like this should work:

     

    cd /var/www/vhosts/example.com/conf/
    cd /var/www/vhosts/example.com/conf/
  2. Create a file called vhost.conf with the following contents:

    NOTE:

    If you would like to make PEAR available via https, follow the instructions below but create vhost_ssl.conf instead of vhost.conf. If you would like to enable this for subdomains, you must create the appropriate vhost.conf files for all subdomains that you need and then reconfigure the main vhost.conf file.

    vi vhost.conf

    For (dv) Dedicated-Virtual Server 3.x systems:

    <Directory "/var/www/vhosts/example.com/httpdocs">
    php_admin_value open_basedir "/var/www/vhosts/example.com/httpdocs/:/tmp/:/usr/share/pear/"
    php_admin_value include_path "/var/www/vhosts/example.com/httpdocs/:/tmp/:/usr/share/pear/"
    </Directory> 
    

    For (dv) Dedicated-Virtual Server 4.0 systems:

    For your "primary domain" -- this is the primary domain of the subscription in Plesk and not the primary domain as we normally refer to it regarding the service:

    <Directory "/var/www/vhosts/example.com/httpdocs">
    php_admin_value open_basedir "/var/www/vhosts/example.com/httpdocs/:/tmp/:/usr/share/pear/"
    php_admin_value include_path "/var/www/vhosts/example.com/httpdocs/:/tmp/:/usr/share/pear/"
    </Directory> 
    

    For any additional domains on your (dv) 4.0, this would be for domains on the same subscription in Plesk.

    <Directory "DOCUMENTROOT">
      php_admin_value open_basedir "DOCUMENTROOT:/tmp/:/usr/share/pear"
      php_admin_value open_basedir "DOCUMENTROOT:/tmp/:/usr/share/pear"
    </Directory>

    You can obtain what the document root actually is with the following command:

    cd /var/www/vhosts/example.com/conf && ls -tcr *httpd.include | tail -1 | xargs grep -m 1 DocumentRoot

    TIP:

    If you want to switch off safe_mode on a per domain basis, you can add the following line:

    php_admin_value safe_mode Off

    NOTE:

    If you are having open_basedir problems not related to the use of PEAR, you should add the path of the directory you are trying to access after :/tmp like this:

    php_admin_value open_basedir "/var/www/vhosts/example.com/httpdocs:/usr/share/pear:/tmp:/path/to/new/directory/to/access/"

    Or you can turn off open_basedir completely like this:

    php_admin_value open_basedir none
    php_admin_value open_basedir "/var/www/vhosts/example.com:/usr/share/pear:/tmp:/path/to/new/directory/to/access/"

    Or you can turn off open_basedir completely like this:

    php_admin_value open_basedir none

     

  3. Reconfigure your webserver so it will look for your new vhost.conf file by doing this:
    /usr/local/psa/admin/sbin/websrvmng --reconfigure-vhost --vhost-name=example.com
  4. Reconfigure your webserver so it will look for your new vhost.conf file by doing this:
    /usr/local/psa/admin/sbin/httpdmng --reconfigure-domain example.com
  5. Finally, you must restart Apache, this can be done through Plesk or by executing the following commands:
    /etc/init.d/httpd stop
    /etc/init.d/httpd start

Resources


User Comments

No visitor comments posted. Post a comment
Fields marked with an asterisk(*) are required. Comment on this article
Fill out the form below if you would like to comment on this article.
 
 
 

(code is not case-sensitive)
 
Submit
 
 

Continue