Find what paths are required for open_basedir?

Question

We have a server (running PHP-FPM 7.4 on Apache) that hosts various scripts, frameworks and applications like DokuWiki. It's grown to a pretty complex beast. We would like to apply an open_basedir restriction. Just setting a best guess open_basedir is bound to cause problems. Is there a way to find out the minimal set of the paths that are actually required?

If an open_basedir restriction could be made non-fatal, for instance, so that it logs warnings instead of errors, we could monitor these. But I found no way to make open_basedir non-fatal.

score 2 · Accepted Answer · answered May 11 '23 at 17:34

open_basedir can not be put into something similar to selinux "permissive mode", where would-be-denied accesses are logged but not really blocked.

My best advice is to use strace to look at openat system call from httpd or php-fpm. You can do that at runtime via the following command:

strace -f -e openat -p "$(pidof httpd php-fpm)"

To save strace output to a file, add -o /my/file.txt

Find what paths are required for open_basedir?

1 Answers1