1

Essentially i found out you can prevent one site which has a security hole from modifying/reading another site via "open_basedir".

However when i upload media files using wordpress i got the error

[error] 3048#0: *42070 FastCGI sent in stderr: "PHP Warning:  file_exists(): open_basedir restriction in effect. File(/tmp/php51UUIj) is not within the allowed path(s): (/var/www/wordpress-site) in /var/www/wordpress-site/wp-includes/functions.php on line 2505
PHP Warning:  file_exists(): open_basedir restriction in effect. File(/tmp//TheFile.tmp) is not within the allowed path(s): (/var/www/wordpress-site) in /var/www/wordpress-site/wp-includes/functions.php on line 2340
PHP Warning:  touch(): open_basedir restriction in effect. File(/tmp/TheFile.tmp) is not within the allowed path(s): (/var/www/wordpress-site) in /var/www/wordpress-site/wp-admin/includes/file.php on line 177" while reading response header from upstream, client: 69.196.169.22, server: wordpress-site.com, request: "POST /wp-admin/async-upload.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fastcgi/php-fcgi.socket:", host: "wordpress-site.com", referrer: "http://wordpress-site.com/wp-admin/media-upload.php?post_id=245&"

Removing this line from nginx fixed it

fastcgi_param  PHP_VALUE            open_basedir=$document_root;

However thats because open_basedir is disabled and now a hole in one site can access data in another. Is it possible to have open_basedir and allow wordpress to move /tmp/somefile into its own site directory?

2 Answers2

1

This is very direct, but explains it pretty good: open_basedir is like peeing your pants to stay warm.

Yes, it prevents functions like file_get_contents and such from accessing anything outside the desired directory. But then I could just use exec("cat /etc/passwd", $res); or some of the other functions that does similar things.

But, to answer your question, the way one does this in PHP is by adding the folders allowed separated by colon. E.g. 

"/var/www/horses.com:/tmp:/uploads"
Frands Hansen
  • 4,657
  • 1
  • 17
  • 29
  • 1
    Nice. I wrote `fastcgi_param PHP_VALUE open_basedir="$document_root:/tmp";` and it worked –  Jan 27 '12 at 23:32
1

Give wordpress a temp directory within the docroot /var/www/wordpress-site and make it use that.

Do not add /tmp/ to the list of allowed directories - that would be unsafe.

Bill T
  • 21
  • 2
  • ... Except, half of the modules requires to do temp files. also usually mysql socket is there. – Nick Aug 09 '22 at 08:11