0
Ukończony

open_basedir for Ajenti V web sites

Arthur Wiebe 10 lat temu Ostatnio zmodyfikowane przez Eugene Pankov (Project coordinator) 10 lat temu 10
I am really loving Ajenti V and am testing it in my lab with the plan to implement it in our hosting company.

Now one important thing when serving multiple customers on a single server is security. Specifically in this case when serving PHP, open_basedir becomes very important.

Right now I've tried adding the open_basedir config as a fastcgi_param under nginx but that does not work properly.

The best way for this to be implemented is under the PHP-FPM site config.

What I would LOVE is if under Content -> PHP-FPM that there would be an option to enable Basedir restrictions. Or even just enable it by default. The open_basedir would restrict PHP to the document root for that web site.

Without this feature I unfortunately wouldn't be able to use this very nice looking admin panel.

Odpowiedź

Odpowiedź
Ukończony
Added. Would appreciate a summary on other often-used PHP options!
DOBRZE, JESTEM ZADOWOLONY.
Wow. That was fast. We'll certainly be purchasing it.
Znak zadowolenia przez Arthur Wiebe 10 lat temu
Odpowiedź
Ukończony
Added. Would appreciate a summary on other often-used PHP options!
Hey Eugeny, it turns out you didn't actually do it properly. You added it to the sites nginx config.

For for eg. /etc/nginx/conf.d/website.conf contains the following line:
fastcgi_param PHP_VALUE open_basedir="/srv/mywebsite";

But what actually needs to happen is for the following line to be added to the site config in /etc/php5/fpm/php-fpm.conf
php_admin_value[open_basedir] = "/srv/mywebsite"
And it should allow it to be set to multiple paths for example this input should be allowed:
php_admin_value[open_basedir] = "/srv/mywebsite:/tmp:/usr/share/php5"


Arthur,

Is there a real difference between two approaches? Doesn't PHP_VALUE work?
Yeah the difference is doing it from the nginx config doesn't work for this value. It only works properly if it's done from the PHP-FPM config. It might work for newer versions of nginx/fpm but not with the versions included in Debian 7 stable.

My original comment said "Right now I've tried adding the open_basedir config as a fastcgi_param under nginx but that does not work properly."
Thank you for the info! I'll make these changes asap and notify you.
Does the open_basedir directive in ajenti now support multiple paths or not? I am not sure it does, my installation of owncloud was complaining about a open_basedir value which was set to /srv/owncloud, but owncloud was complaining that /tmp was not in open_basedir; I added both values and it still didn't work (colon separated), only after having the value to empty it would run fine.
Yes, you can have multiple values with colon. If you remove the value, it defaults to <website path>:/tmp
Hi Eugene, in my ajenti installation there are no website path as default open_basedir, in fact i make a php script to write outside the web root and it works. I have the last version of ajenti. Do you remove that default value ?
Thx

Ram
+1
Yes, I have removed the default value to allow use of code (e.g. some problematic curl modes) which don't work at all when open_basedir is set. Instead, open_basedir is added to php.ini values for new websites and can be removed or customized by user.