1. Community
  2. grid
  3. Article

How do I set the path for open_basedir?

Browse by products and services

Legacy DV and VPS Hosting

Grid Hosting

  • Applies to: Grid
    • Difficulty: Medium
    • Time Needed: 10
    • Tools Required: Plain text editor, FTP client or AccountCenter access
  • Applies to: Legacy DV & VPS Hosting
    • Difficulty: Medium
    • Time Needed: 10
    • Tools Required: Plesk
  • Applies to: DV 4.0
    • Difficulty: Medium
    • Time Needed: 10
    • Tools Required: SSH, root access, vi knowledge

Overview

open_basedir can be used to limit the files that can be accessed by PHP to the specified directory-tree, including the file itself. When a script tries to access the filesystem, for example using include, or fopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to access it.

Basically, open_basedir tells PHP which directories a script can interact with other than the directory it is located in.

This KnowledgeBase article is designed to show what an open_basedir error looks like, and how to resolve it.

Requirements

Before you start, you should be familiar with and/or have handy:

READ ME FIRST
This article is provided as a courtesy. Installing, configuring, and troubleshooting third-party applications is outside the scope of support provided by (mt) Media Temple. Please take a moment to review the Statement of Support.

READ ME FIRST
Please be aware that the following changes in your vhost.conf file will take precedence over any settings you may have in your httpd.conf file.

This article is provided as a courtesy. Assistance with the configuration of PHP Settings on your (dv) 4.0 server is not covered by (mt) Media Temple's Statement of Support. Please take a moment to review the Statement of Support.

READ ME FIRST
Please be aware that changes made to the PHP Settings in Plesk will overwrite any manual changes made to php.ini for your domain. This article is provided as a courtesy. Assistance with the configuration of PHP Settings on your DV server is not covered by (mt) Media Temple's Statement of Support. Please take a moment to review the Statement of Support.

Symptoms

If your application is trying to open a file that is not in your open_basedir allowed directory, you will get an error like this, or something similar:

Warning: include_once() [function.include-once]: open_basedir restriction in effect. File(/nfs/c00/h00/mnt/00000/domains/gs-example.com/html/include.php) is not within the allowed path(s): (/home/00000/domains/example.com/html/) in /nfs/c00/h00/mnt/00000/domains/gs-example.com/html/index.php on line 10

 

Here's the error without all the long paths, so you know what to look for:

Warning: open_basedir restriction in effect. File(example.php) is not within the allowed path(s)

 

Instructions

  1. Open the php.ini file.
  2. Add or edit the following line:

    Filename: php.ini

    open_basedir = "/path/to/first/folder:/path/to/second/folder"

    Notes on this file:

    • Make sure you always include the path to your html directory and your local /home/00000/data/tmp/ directory. Just /tmp/ will work too, but you have less control over that directory.
    • Do not use paths that look like nfs/c00/h00/mnt/. Use /home/00000/ plus the rest of your path (where 00000 is your site number).

    CAUTION:

    Make sure you do not use a path that is too broad, such as /home/00000/ by itself - this will allow all directories to access each other, and is a security risk.

  3. Ensure your changes are saved.
  4. Refresh your page. If you have listed all the necessary paths, you should no longer see the open_basedir error. You can also create an phpinfo.php page and check the value of open_basedir.

Although this is not advised, you do also have the option to disable open_basedir in the php.ini by using the following:

open_basedir = none

Here's how to set open_basedir on a domain:

  1. SSH into your Plesk machine as root and cd to the conf directory for the domain on which you want to modify open_basedir. Something like this should work: 
    cd /var/www/vhosts/example.com/conf/
  2. Create a file called vhost.conf with the following contents:

    NOTE:

    If you would like to use open_basedir via https, follow the instructions below but create vhost_ssl.conf instead of vhost.conf. If you would like to enable this for subdomains, you must create the appropriate vhost.conf files for all subdomains that you need and then reconfigure the main vhost.conf file.

    vi vhost.conf

    For DV server 4.0 systems:

    <Directory "/var/www/vhosts/example.com/httpdocs">
php_admin_value open_basedir "/var/www/vhosts/example.com/httpdocs/:/tmp/:/path/to/first/folder/:/path/to/second/folder/"
php_admin_value include_path "/var/www/vhosts/example.com/httpdocs/:/tmp/:/path/to/first/folder/:/path/to/second/folder/"
</Directory>

    For any additional domains, this would be for domains on the same subscription in Plesk.

    <Directory "DOCUMENTROOT">
  php_admin_value open_basedir "DOCUMENTROOT:/tmp/:/path/to/first/folder/:/path/to/second/folder/"
  php_admin_value open_basedir "DOCUMENTROOT:/tmp/:/path/to/first/folder/:/path/to/second/folder/"
</Directory>

    You can obtain what the document root actually is with the following command:

    cd /var/www/vhosts/example.com/conf && ls -tcr *httpd.include | tail -1 | xargs grep -m 1 DocumentRoot

    TIP:

    If you want to switch off safe_mode on a per domain basis, you can add the following line:

    php_admin_value safe_mode Off

    NOTE:

    While this is not advised, you can also disable open_basedir for the website by adding the following line to the vhost.conf file:

    php_admin_value open_basedir none
  3. Reconfigure your webserver so it will look for your new vhost.conf file by doing this:
    /usr/local/psa/admin/sbin/httpdmng --reconfigure-domain example.com
  4. Finally, you must restart Apache, this can be done through Plesk or by executing the following commands: 
    /etc/init.d/httpd stop
/etc/init.d/httpd start

Intructions for Plesk

Plesk 11.5 and later introduces the ability to edit the open_basedir value through the PHP Settings menu. The following steps explain how to access this option.

    1. Select the Websites & Domains tab.

137_1

    1. Expand the advanced options by clicking the arrow, as shown below:

137_2

    1. Select PHP Settings from the menu.

137_3

    1. Scroll down to the open_basedir item to perform your changes:

  1. Click "OK" at the bottom to save.

IMPORTANT
If you make any changes through the "PHP Settings" menu in Plesk, it will overwrite any manual changes you have already made to /var/www/vhosts/DOMAIN/etc/php.ini via SSH or FTP.

Instructions for cPanel

1. cPanel makes it easy to toggle the open_basedir tweak from WHM. Log into WHM and select PHP open_basedir Tweak from the Security Settings menu on the left.

When you enable the open_basedir tweak for cPanel, the system adds PHP directives to each Virtual Host in the httpd.conf file:

/usr/lib/php
/usr/local/lib/php
/tmp

From the cPanel documentation:

"This security tweak modifies the Apache configuration file, regardless of the PHP handler that you have selected.

  • Apache configuration file directives for PHP only take effect if you select the DSO handler. 
  • If you have configured PHP to run as a CGI, suPHP, or FastCGI process, you must manually specify the open_basedir directive in the appropriate php.ini file. Users must each have their own php.ini files when they use a PHP handler that is not DSO. "

This means that if you have changed your PHP handler to something other than DS0, you'll need to manually add PHP's restricted directories to the php.ini file.

3. To edit the open_basedir paths, open php.ini and add your directories using this format:
open_basedir = "/path/to/first/folder:/path/to/second/folder"

   

Resources

Article Contents: