[BlueOnyx:10318] Re: 5107R - Issue with PHP open_basedir - running in a cron job

Michael Stauber mstauber at blueonyx.it
Tue Apr 24 11:58:11 -05 2012 

Hi Peter,

> PHP Warning:  require_once(): open_basedir restriction in effect.
> File(/home/.sites/28/site1/web/admin/incConnection.php) is not within
> the allowed path(s):
> (/usr/sausalito/configs/php/:/tmp/:/var/lib/php/session/) in
> /home/.sites/28/site1/web/cron-daily-mail-insert.php on line 4
> PHP Warning:
> require_once(/home/.sites/28/site1/web/admin/incConnection.php): failed
> to open stream: Operation not permitted in
> /home/.sites/28/site1/web/cron-daily-mail-insert.php on line 4
> PHP Fatal error:  require_once(): Failed opening required
> 'admin/incConnection.php'
> (include_path='.:/usr/share/pear:/usr/share/php') in
> /home/.sites/28/site1/web/cron-daily-mail-insert.php on line 4
> 
> I receive the above error - even though the PHP settings for the site
> are set to have the  /home/.sites/28/site1/  directory in it as follows;
> 
> /tmp/:/var/lib/php/session/:/usr/sausalito/configs/php/:/home/.sites/28/sit
> e1/
> 
> Any one got any ideas - my client is getting a bit upset :-(

Ok, the problem here is that "open_basedir restriction in effect" and that 
this is a cronjob.

When you run the PHP interpreter from the command line, it uses the settings 
from /etc/php.ini - or the php.ini of your third party PHP if you have one 
installed. 

That php.ini does not have the path to the sites in it. And it has none of the 
PHP settings in it, which you have defined for your site. Instead it will use 
the server wide settings.

These server wide settings don't have the open_basedir path 
/home/.sites/28/site1/web/ in it, because these paths are defined on a site by 
site basis and not globally.

Now there are three ways how you can get your PHP cronjob working and they 
have nothing to do with the patch from last Friday. Even without that patch 
the problem would be the same and the work around would be the same:

a.) If suPHP is enabled for that site:
============================

If suPHP is enabled for that site, this site has it's own php.ini with all the 
required settings in it. This would be preferable.

So you would call your cronjob this way:

/usr/bin/php --php-ini /home/.sites/28/site1/php.ini \ 
/home/.sites/28/site1/web/cron-daily-mail-insert.php

That way the PHP interpreter will load your sites php.ini file before parsing 
and executing your PHP script. And everything will work just fine.


b.) If you don't have suPHP enabled for that site:
======================================

Then things get a bit more complicated. You'd need to make sure that the PHP 
interpreter runs in a way that open_basedir contains all the paths that your 
script needs to access.

One way of doing so is calling the cronjob this way:

/usr/bin/php --define "open_basedir=/" \ 
/home/.sites/28/site1/web/cron-daily-mail-insert.php

That will reset "open_basedir" to / - which then grants this particular script 
access to everything on the filesystem.

c.) No suPHP and doing it the wrong way:
==================================

Edit your global php.ini file to add / to the global "open_basedir" of the 
server. To do so use the GUI:

Go to "Server Management" / "Security" / "PHP Settings" and there change 
"open_basedir" from ...

/tmp/:/var/lib/php/session/:/usr/sausalito/configs/php/

... to this:

/tmp/:/var/lib/php/session/:/usr/sausalito/configs/php/:/

That adds the / to the end of it and again grants scripts access to 
everything. However, a security minded admin wouldn't do so. Instad he'd 
either use the suPHP menthod outlined under (a) or the other method outlined 
under (b).


Hope this helps.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list