Unable to axxess folder outside of the website using PHP

Discussion in 'Installation/Configuration' started by lioloprod, Nov 13, 2024.

  1. lioloprod

    lioloprod New Member

    Hi, good day. Well, I have been using ISPconfig for more than 10 years and it is great, since then I have been following the tutorial called THE PERFECT SERVER, with excellent results.
    Scenario:
    1. I am testing a new server,
    2. I even tried two versions of rhel 9.4, Almalinux and Rocky , both running remi PHP 8.2, I am trying to install Nextcloud 28 with dat dir in a different location. SAME ERROR on both.
    3. I even downgraded PHP to 8.1, trying to copy the configuration from another server that works ok.
    Results:
    All works great as usual with ISPconfig but when I add the route that is located outside the WEBSITE STRUCTURE
    WEBSITE > OPTIONS > PHP open_basedir > : DIR_OUT_OF_WEB
    ERROR HAPPENS BECAUSE THE NEW ADDED LOCATION ON open_basedir is NOT recognized and WILL NOT WORK.
    I tried completely disabling the open_basedir by writing "none". then tried " :/" but the open_basedir configuration written in the box HAS NO EFFECT. I EVEN SEARCHED ON php.ini and httpd.conf but all seems ok.
    I even tried to create symlink and used this option by checking on it:
    "Deactivate symlinks restriction of the web space"
    I simply cannot obtain access to folders and files outside the open_basedir, EVEN IF I ADDED THE CORRECT PATH TO IT.
    I HAVE SPENT THE LAST MONTH TRYING TO MAKE THIS WORK BUT I CANNOT. PLEASE HELP.
    The peculiar thing is that 9 months ago I made a server with same characteristics and all works great, NO errors and open_basedir working just fine.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This sounds as if your issue is not the open_basedir but other Linux filesystem permissions that prevent access. You can test this using phpinfo(); command in PHP or look into the PHP-FPM pool file when using PHP-FPM mode. Set the desired open_basedir and wait until the config has been written. Also take care to not enable php chroot, as this is a function to prevent PHP scripts to access files outside of the website

    Also as a note, neither AlmaLinux nor Rocky Linux are supported and we do not provide a perfect server guide for them. If you want to have a reliable setup, use Debian 12 or Ubuntu 24.04 with the auto-installer.

    And please do not re-open old threads; you posted to an 11-year-old thread. I have moved your post to a new thread.
     
    ahrasis likes this.
  3. lioloprod

    lioloprod New Member

    I wish you all a Merry Christmas from Los Angeles, CA!
    Specially for Till! Man... your effort transcends far, thank you so much. You are a star.
    It is with the tutorials from here that I learned how to manage web servers some years ago, thank you for the amazing service.

    With all respect, I am scared to ever use an Ubuntu or Debian server for production purposes since once I got hacked badly, after that occasion I stick to RHEL, although a little more hassle, I really like it, it works great.

    Although I do NOT follow conventional religions, my Christmas gift today was to finally have time and sit down to fix this issue that was driving me crazy for a long time, the reason is

    I like to combine Wordpress with Nextcloud to create more productive sites and I move the Nextcloud Data dir to a separate partition (to be able to use bigger conventional hard drives).
    /var/www/clients/client1/web2/web => Wordpress
    /var/www/clients/client1/web2/web/cloud => Nextcloud
    [ /var/www/clients/client1/web2/web/cloud/data => Default Nextcloud Data ]
    /var/collections/storage/www/nhol-cloud-data => Nextcloud Data
    on bigger volume, so open_basedir prevented me to reach it.

    So my understanding is:
    open_basedir should be set in the httpd.conf, php.ini or vhost.conf
    1. I searched open_basedir on each file and it was located in php.ini
    2. From the default config in open_basedir
    Websites > SITE.com > Options > PHP open_basedir
    which works great, implement it here same:

    nano /etc/php.ini
    EDIT
    open_basedir = /var/www:/tmp:/var/tmp:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom:/usr/bin/clamscan:/var/collections/storage/www
    3. Reload and restart services to see changes immediately.
    systemctl daemon-reload
    systemctl restart httpd php-fpm

    ===================
    AlmaLinux release 9.5 (Teal Serval)
    PHP 8.2.27 (cli)
     
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Sorry, but getting hacked is never about using distro like Ubuntu or Debian, as you can get hacked by using any distros, even RHEL that you are now using. It is all about how one manages access to the servers.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Thanks, I wish you a merry Christmas too.

    Like @ahrasis mentioned, the fact that you got hacked was unrelated to using Debian or Ubuntu. From a security standpoint, RHEL is not more secure than Debian and Ubuntu, RHEL just has higher maintenance cost and tends to break more often on sys upgrades. If a Linux hosting server gets hacked, it's not the OS but the hosted websites that cause it.

    Regarding your open basedir question, allowing all sites to access the NextCloud storage is not really secure. Also, the websites override the php.ini settings, so setting this in php.ini is unnecessary.
     
    ahrasis likes this.
  6. remkoh

    remkoh Active Member HowtoForge Supporter

    You could more or less replicate phpmyadmin settings in your webserver to create an alias for nextcloud like there is for phpmyadmin.
    It will then have its own php settings, unrelated to the website's php version and ini settings the alias is called from.

    And with the ispc nextckloud plugin you should be able to manage your nextcloud accounts from within ispc.
    https://www.ispconfig.org/blog/new-ispconfig-nextcloud-plugin-for-user-and-password-synchronization/

    I totally agree with @till and @ahrasis about hacking and os.
    Getting hacked has nothing to do with your os and all with installed software and its config.
    I had a webserver that got hacked badly 20+ years ago that happened to run rh (rhel didn't exist yet).
    It had nothing to do with the os and all with the apache config.
     
    Last edited: Dec 25, 2024
    ahrasis likes this.

Share This Page