![](/s/cache/c8/0c/c80c18b7ad50945bb4b0fa859db94712.png)
0
Terminé
open_basedir for Ajenti V web sites
I am really loving Ajenti V and am testing it in my lab with the plan to implement it in our hosting company.
Now one important thing when serving multiple customers on a single server is security. Specifically in this case when serving PHP, open_basedir becomes very important.
Right now I've tried adding the open_basedir config as a fastcgi_param under nginx but that does not work properly.
The best way for this to be implemented is under the PHP-FPM site config.
What I would LOVE is if under Content -> PHP-FPM that there would be an option to enable Basedir restrictions. Or even just enable it by default. The open_basedir would restrict PHP to the document root for that web site.
Without this feature I unfortunately wouldn't be able to use this very nice looking admin panel.
Now one important thing when serving multiple customers on a single server is security. Specifically in this case when serving PHP, open_basedir becomes very important.
Right now I've tried adding the open_basedir config as a fastcgi_param under nginx but that does not work properly.
The best way for this to be implemented is under the PHP-FPM site config.
What I would LOVE is if under Content -> PHP-FPM that there would be an option to enable Basedir restrictions. Or even just enable it by default. The open_basedir would restrict PHP to the document root for that web site.
Without this feature I unfortunately wouldn't be able to use this very nice looking admin panel.
Solution
![](/s/cache/c3/94/c39402226f80f121f6a818b91880b7d6.png)
0
Solution
Terminé
Eugene Pankov (Project coordinator) il y a 10 ans
Added. Would appreciate a summary on other often-used PHP options!
![](/s/cache/c3/94/c39402226f80f121f6a818b91880b7d6.png)
Solution
Terminé
Added. Would appreciate a summary on other often-used PHP options!
![](/s/cache/c8/0c/c80c18b7ad50945bb4b0fa859db94712.png)
Hey Eugeny, it turns out you didn't actually do it properly. You added it to the sites nginx config.
For for eg. /etc/nginx/conf.d/website.conf contains the following line:
fastcgi_param PHP_VALUE open_basedir="/srv/mywebsite";
But what actually needs to happen is for the following line to be added to the site config in /etc/php5/fpm/php-fpm.conf
php_admin_value[open_basedir] = "/srv/mywebsite"
And it should allow it to be set to multiple paths for example this input should be allowed:
php_admin_value[open_basedir] = "/srv/mywebsite:/tmp:/usr/share/php5"
For for eg. /etc/nginx/conf.d/website.conf contains the following line:
fastcgi_param PHP_VALUE open_basedir="/srv/mywebsite";
But what actually needs to happen is for the following line to be added to the site config in /etc/php5/fpm/php-fpm.conf
php_admin_value[open_basedir] = "/srv/mywebsite"
And it should allow it to be set to multiple paths for example this input should be allowed:
php_admin_value[open_basedir] = "/srv/mywebsite:/tmp:/usr/share/php5"
![](/s/cache/c3/94/c39402226f80f121f6a818b91880b7d6.png)
Arthur,
Is there a real difference between two approaches? Doesn't PHP_VALUE work?
Is there a real difference between two approaches? Doesn't PHP_VALUE work?
![](/s/cache/c8/0c/c80c18b7ad50945bb4b0fa859db94712.png)
Yeah the difference is doing it from the nginx config doesn't work for this value. It only works properly if it's done from the PHP-FPM config. It might work for newer versions of nginx/fpm but not with the versions included in Debian 7 stable.
My original comment said "Right now I've tried adding the open_basedir config as a fastcgi_param under nginx but that does not work properly."
My original comment said "Right now I've tried adding the open_basedir config as a fastcgi_param under nginx but that does not work properly."
![](/s/cache/c3/94/c39402226f80f121f6a818b91880b7d6.png)
Thank you for the info! I'll make these changes asap and notify you.
![](/s/cache/c0/6c/c06cc2f5379f6b460ed2d28731cf80e9.png)
Does the open_basedir directive in ajenti now support multiple paths or not? I am not sure it does, my installation of owncloud was complaining about a open_basedir value which was set to /srv/owncloud, but owncloud was complaining that /tmp was not in open_basedir; I added both values and it still didn't work (colon separated), only after having the value to empty it would run fine.
![](/s/cache/c3/94/c39402226f80f121f6a818b91880b7d6.png)
Yes, you can have multiple values with colon. If you remove the value, it defaults to <website path>:/tmp
![](/s/cache/82/be/82bec023f2ca899a7f3b0ac5df4f161e.png)
Hi Eugene, in my ajenti installation there are no website path as default open_basedir, in fact i make a php script to write outside the web root and it works. I have the last version of ajenti. Do you remove that default value ?
Thx
Ram
Thx
Ram
![](/s/cache/c3/94/c39402226f80f121f6a818b91880b7d6.png)
+1
Yes, I have removed the default value to allow use of code (e.g. some problematic curl modes) which don't work at all when open_basedir is set. Instead, open_basedir is added to php.ini values for new websites and can be removed or customized by user.
Service d'assistance aux clients par UserEcho