mod_fcgid: stderr: PHP Warning: is_dir(): open_basedir restriction in effect

Discussion in 'Installation/Configuration' started by Entangled, Feb 27, 2015.

  1. Entangled

    Entangled New Member

    Hello,

    I have a bunch of servers with 3 drives: 25GB for the Debian6/7 OS and 2 1TB drives for site content/backup. I folllowed these instructions:

    https://www.howtoforge.com/use_moun...ctory_of_a_ispconfig_server_to_a_new_location

    All seemed to be working fine until I installed the "amember_remote" script which attempts to protect a directory/folder. The script is at the same level as the directory I am attempting to protect, both are in web (web/amember_remote and web/members) ... I can not "bounce up" (get into) the web directory in order to select members for protection and error log shows:

    [Wed Feb 25 00:42:36 2015] [warn] [client 97.80.178.92] mod_fcgid: stderr: PHP Warning: is_dir(): open_basedir restriction in effect. File(/var/www/clients/client23/web39) is not within the allowed path(s): (/var/www/clients
    /client23/web39/web:/var/www/clients/client23/web39/private:/var/www/clients/client23/web39/tmp:/var/www/DOMAIN_NAME_4/web:/srv/www/DOMAIN_NAME_4/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/
    var/lib/phpmyadmin) in /var/www/clients/client23/web39/web/amember_remote/controllers/AdminController.php on line 254, referer: http://DOMAIN_NAME_4/amember_remote/admin/protect

    Here's my server's setup:

    [email protected]_name:/home/www# more /etc/fstab
    # /etc/fstab: static file system information.
    #
    # Use 'blkid' to print the universally unique identifier for a
    # device; this may be used with UUID= as a more robust way to name devices
    # that works even if disks are added and removed. See fstab(5).
    #
    # <file system> <mount point> <type> <options> <dump> <pass>
    proc /proc proc defaults 0 0
    # / was on /dev/xvda2 during installation
    UUID=4877a283-0f1e-4bde-8a0a-97b7e9b92a3e / ext3 errors=remount-ro,noatime 0 1
    # /boot was on /dev/xvda1 during installation
    UUID=6d14d427-c3b2-4b7d-915b-37dece24913a /boot ext3 defaults,noatime 0 2
    LABEL=SWAP-xvdb1 swap swap defaults 0 0
    /dev/xvdc /home ext3 errors=remount-ro,noatime,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 3
    /dev/xvde /backups ext3 errors=remount-ro,noatime 0 4
    /home/www /var/www none bind,nobootwait,_netdev 0 0
    #
    /var/log/ispconfig/httpd/DOMAIN_NAME_1 /var/www/clients/client23/web6/log none bind,nobootwait,_netdev 0 0
    /var/log/ispconfig/httpd/DOMAIN_NAME_2 /var/www/clients/client23/web13/log none bind,nobootwait,_netdev 0 0
    /var/log/ispconfig/httpd/DOMAIN_NAME_3 /var/www/clients/client23/web39/log none bind,nobootwait,_netdev 0 0
    /var/log/ispconfig/httpd/DOMAIN_NAME_4 /var/www/clients/client23/web45/log none bind,nobootwait,_netdev 0 0

    [email protected]_name:/home/www# df
    Filesystem 1K-blocks Used Available Use% Mounted on
    rootfs 25555836 2738220 21519440 12% /
    udev 10240 0 10240 0% /dev
    tmpfs 205288 164 205124 1% /run
    /dev/disk/by-uuid/4877a283-0f1e-4bde-8a0a-97b7e9b92a3e 25555836 2738220 21519440 12% /
    tmpfs 5120 0 5120 0% /run/lock
    tmpfs 829860 0 829860 0% /run/shm
    /dev/xvda1 240972 34480 194051 16% /boot
    /dev/xvdc 774092544 124258448 610512496 17% /home
    /dev/xvde 774092544 718756916 16014028 98% /backups
    /dev/xvdc 774092544 124258448 610512496 17% /var/www
    /dev/disk/by-uuid/4877a283-0f1e-4bde-8a0a-97b7e9b92a3e 25555836 2738220 21519440 12% /var/www/clients/client23/web6/log
    /dev/disk/by-uuid/4877a283-0f1e-4bde-8a0a-97b7e9b92a3e 25555836 2738220 21519440 12% /var/www/clients/client23/web13/log
    /dev/disk/by-uuid/4877a283-0f1e-4bde-8a0a-97b7e9b92a3e 25555836 2738220 21519440 12% /var/www/clients/client23/web39/log
    /dev/disk/by-uuid/4877a283-0f1e-4bde-8a0a-97b7e9b92a3e 25555836 2738220 21519440 12% /var/www/clients/client23/web45/log

    [email protected]_name:/var/www# ls -la
    total 36
    drwxr-xr-x 8 root root 4096 Feb 23 13:33 .
    drwxr-xr-x 12 root root 4096 Feb 19 13:59 ..
    drwxr-xr-x 2 ispapps ispapps 4096 Feb 4 20:03 apps
    lrwxrwxrwx 1 root root 31 Feb 4 23:17 DOMAIN_NAME_1 -> /var/www/clients/client23/web6/
    drwxr-xr-x 3 root root 4096 Feb 4 23:17 clients
    drwxr-xr-x 3 root root 4096 Feb 27 03:05 conf
    lrwxrwxrwx 1 root root 32 Feb 5 20:41 DOMAIN_NAME_2 -> /var/www/clients/client23/web13/
    lrwxrwxrwx 1 root root 32 Feb 16 12:50 DOMAIN_NAME_3 -> /var/www/clients/client23/web39/
    -rw-r--r-- 1 root root 177 Feb 4 15:36 index.html
    drwx------ 2 root root 4096 Feb 4 13:17 lost+found
    drwxr-xr-x 7 root root 4096 Feb 23 13:33 php-fcgi-scripts
    lrwxrwxrwx 1 root root 32 Feb 23 13:33 DOMAIN_NAME_4 -> /var/www/clients/client23/web45/
    drwxr-xr-x 2 root root 4096 Feb 27 06:27 webalizer

    [email protected]_name:/home# ls -la
    total 28
    drwxr-xr-x 3 root root 4096 Feb 19 14:01 .
    drwxr-xr-x 25 root root 4096 Feb 19 13:40 ..
    -rw------- 1 root root 8192 Feb 27 09:38 aquota.group
    -rw------- 1 root root 8192 Feb 27 09:38 aquota.user
    drwxr-xr-x 8 root root 4096 Feb 23 13:33 www

    [email protected]_name:/home/www# ls -la
    total 36
    drwxr-xr-x 8 root root 4096 Feb 23 13:33 .
    drwxr-xr-x 3 root root 4096 Feb 19 14:01 ..
    drwxr-xr-x 2 ispapps ispapps 4096 Feb 4 20:03 apps
    lrwxrwxrwx 1 root root 31 Feb 4 23:17 DOMAIN_NAME_1 -> /var/www/clients/client23/web6/
    drwxr-xr-x 3 root root 4096 Feb 4 23:17 clients
    drwxr-xr-x 3 root root 4096 Feb 27 03:05 conf
    lrwxrwxrwx 1 root root 32 Feb 5 20:41 DOMAIN_NAME_2 -> /var/www/clients/client23/web13/
    lrwxrwxrwx 1 root root 32 Feb 16 12:50 DOMAIN_NAME_3 -> /var/www/clients/client23/web39/
    -rw-r--r-- 1 root root 177 Feb 4 15:36 index.html
    drwx------ 2 root root 4096 Feb 4 13:17 lost+found
    drwxr-xr-x 7 root root 4096 Feb 23 13:33 php-fcgi-scripts
    lrwxrwxrwx 1 root root 32 Feb 23 13:33 DOMAIN_NAME_4 -> /var/www/clients/client23/web45/
    drwxr-xr-x 2 root root 4096 Feb 27 06:27 webalizer

    I have added /home/www/DOMAIN_NAME_4/web to the open_dir statement on the ISPConfig Option tab ... doesn't help ... I have manually editted the site's apache conf only to get a 403 "You aren't authorized" message. I switched over to suPHP only to get yet another error message

    I believe the symlinks are the issue ... and at this point I am not sure how to fix this.

    Any help the Forum can provide is appreciated.

    Thank you.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Your script should not try to access paths outside of the website root directory. But if you want to allow that anyway, then add the path /var/www/clients/client23/web39 to the open basedir path of the website.

    I dont think that this is related. Your script just tries to access the directory below the vhost root of the site which it should not do. you should consider to report that to the developer if the script.
     
  3. Entangled

    Entangled New Member

    I appreciate the reply ...

    If I upload the script to "web/amember_remote" and kick off the script, I get directory list:

    / var / www / clients / client23 / web39 / web / amember_remote

    when I click on the Protect Folders link, clicking on the web link go up a level, gets a:

    [Fri Feb 27 14:21:28 2015] [warn] [client 97.80.178.92] mod_fcgid: stderr: PHP Warning: is_dir(): open_basedir restriction in effect. File(/var/www/clients/client23/web39) is not within the allowed path(s): (/var/www/clients/client23/web39/web:/home/www/clients/client23/web39/web:/var/www/clients/client23/web39/private:/var/www/clients/client23/web39/tmp:/var/www/DOMAIN_NAME/web:/srv/www/DOMAIN_NAME/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin) in /var/www/clients/client23/web39/web/members/amember_remote/controllers/AdminController.php on line 254, referer: http://DOMAIN_NAME/amember_remote/admin/protect

    If I upload the script to "web/members/amember_remote" and kick off the script, I get the directory list:

    / var / www / clients / client23 / web39 / web / members / amember_remote

    when I click on the Protect Folders link, clicking on the members link go up a level, I go up one level ... and if I click on the web link, I get the open_basedir error.

    There is something about that web directory, the config statements or the symlinks which is causing an issue with fcgi and this amember_remote script.

    Contacting the Developers was my next step ... the main script doesn't have this problem.

    Thanks again.
     

Share This Page