I am running a Drupal site on my server, and one of the contributed modules I have installed needs ImageMagick. How do I securely allow access to /usr/bin/convert. I think that I have Chmod 777 to the entire /usr/bin. Is there anyway to check this, and what permissions should I place? Thanks for the help.
Do not chmod 777 or every of your users is able to replace the binary with aharmful application. Just leve it as it is as the binary is executable by every normal user already.
Please post the exact error messages from the error log of the website and the error messages in the application if we shall be able to help you with that.
Also, one of my sites is able to find the directory, but one of them is not able to. Any ideas? The error on the one that is not able to is this: Code: * warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/usr/bin/convert) is not within the allowed path(s): (/var/www/clients/client1/web1) in /var/www/clients/client1/web1/web/includes/image.imagemagick.inc on line 55. * No file /usr/bin/convert could be found. PHP's open_basedir security restriction is set to /var/www/clients/client1/web1, which may be interfering with the attempts to locate ImageMagick.
Here are the error files again: * warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/usr/bin/convert) is not within the allowed path(s): (/var/www/clients/client1/web1) in /var/www/clients/client1/web1/web/includes/image.imagemagick.inc on line 55. * No file /usr/bin/convert could be found. PHP's open_basedir security restriction is set to /var/www/clients/client1/web1, which may be interfering with the attempts to locate ImageMagick.
I have been doing some more digging into this, and it appears that the PHP is running in safe mode. This is blocking the server being able to look in this directory for the one site. I am still not sure why it is working on the other one. I did some more testing, and I had turned on SuPHP on one the website that it was working on. I went back to that site and turned on FastCGI. It still worked. I did the same thing in the other site, and it worked. Why would that be? Thanks.
The problem is not related ro safemode as safemode. The problems is the open_basedir setting which denies the access to system directories for security reasons. There are 2 possible solutions: 1) If you dont need access for all sites to the convert binary, copy create a bin directory in the website root directory and copy the convert program to this place or make a hardlink. 2) Add ":usr/bin" at the end of theopen_basedir path in the vhost template and the fcgi script templates in /usr/local/ispconfig/server/conf/ and then update the site to allow all scripts the access to the /usr/bin/ directory.
Alright. I have tried to do this, but I must being doing something wrong. These are the files that I have edited. vhost.conf.master php-fcgi-starter.master I added the the :usr/bin in these locations: vhost.conf.master Code: <tmpl_if name='php' op='==' value='mod'> # mod_php enabled AddType application/x-httpd-php .php .php3 .php4 .php5 php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@<tmpl_var name='domain'>" php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp php_admin_value session.save_path <tmpl_var name='document_root'>/tmp <tmpl_if name='security_level' op='==' value='20'> php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5:/tmp:[B]usr/bin[/B] php-fcgi-starter.master Code: #!/bin/sh PHPRC="<tmpl_var name='php_ini_path'>" export PHPRC PHP_DOCUMENT_ROOT="<tmpl_var name='document_root'>" export PHP_DOCUMENT_ROOT # The variable PHP_FCGI_CHILDREN is onyl useful for lighty or nginx as apache # mod_fcgi will control the number of childs themself and never use the additional processes. # PHP_FCGI_CHILDREN=<tmpl_var name='php_fcgi_children'> # export PHP_FCGI_CHILDREN PHP_FCGI_MAX_REQUESTS=<tmpl_var name='php_fcgi_max_requests'> export PHP_FCGI_MAX_REQUESTS exec <tmpl_var name='php_fcgi_bin'> \ <tmpl_if name="security_level" op="==" value="20"> -d open_basedir=<tmpl_var name='document_root'>[B]:usr/bin[/B] \ -d upload_tmp_dir=<tmpl_var name='document_root'>/tmp \ -d session.save_path=<tmpl_var name='document_root'>/tmp \ </tmpl_if> $1 This is not working correctly for me. Here is the new error. It appears that directories are not being separated. No file /usr/bin/convert could be found. PHP's open_basedir security restriction is set to /var/www/clients/client1/web2:usr/bin, which may be interfering with the attempts to locate ImageMagick. Any ideas?
The fix is described in the thread. Just change the line: Code: <tmpl_if name="security_level" op="==" value="20"> -d open_basedir=<tmpl_var name='document_root'> \ to: Code: <tmpl_if name="security_level" op="==" value="20"> -d open_basedir=<tmpl_var name='document_root'>:/usr/bin \
Just to clarify: In /usr/local/ispconfig/server/conf: Change the vhost.conf.master From: Code: php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5:/tmp To: Code: php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5:/tmp:/usr/bin In my case, I wanted to use it with FastCGI. I also changed this the fastcgi starter as well. Change the php-fcgi-starter.master From: Code: <tmpl_if name="security_level" op="==" value="20"> -d open_basedir=<tmpl_var name='document_root'> \ To: Code: <tmpl_if name="security_level" op="==" value="20"> -d open_basedir=<tmpl_var name='document_root'>:/usr/bin \ You then have to change the PHP in the control panel, and then change it back to make it work. Hope it helps.
