0

Trying to use the PHP filter_var function, but am getting the following in the error_log when it executes:

[Wed May 11 10:56:22 2016] [warn] [client 24.69.156.92] mod_fcgid: stderr: PHP Warning:  is_executable(): open_basedir restriction in effect. File(/usr/bin/gpg) is not within the allowed path(s): (/var/www/vhosts/<mydomain>/httpdocs/:/tmp/:/var/www/vhosts/<mydomain>/private/:/usr/share/pear/) in /usr/share/pear/System.php on line 530

I am running CentOS 6 1205160407.13 with PHP 5.5.35.

The "obvious" thing to try is adding /usr/bin to the open_basedir path, but I'm not sure on how that will affect things from a security standpoint. So rather than trying it, I am hoping for some insight here.

Luke Pittman
  • 141
  • 1
  • 7
  • 1
    This topic is important from the security point of view, no matter if a control panel is used or not. In fact, control panels often limit the use of `open_basedir`, so the potential answers are more relevant to configurations without them. You can simply remove "Plesk" from the question to make it on-topic, so it cannot be considered as control panel specific. – sam_pan_mariusz May 11 '16 at 19:20

1 Answers1

1

I personally avoid giving PHP applications access to any executables except those really required. Setting open_basedir is only effective inside PHP code itself, without any effect on external binaries. Even if the PHP application can be trusted it can potentially be compromised by an attacker. Disabling allow_url_include ini setting, eval() pseudo-function, etc. can make these attacks harder but with PHP you're never really safe.

The workaround I use is to have a separate bin/ directory per web application (/srv/bin/web/WEBAPP_ID in my case), only having a set of executables known to be safe. Set PATH system variable for PHP interpreter to include this directory. Hardlinks or shell wrapper scripts can potentially be used in those directories to avoid duplicating executable files (symlinks make no sense here as they are dereferenced by PHP before enforcing basedir restrictions). The shell wrappers also allows to restrict arguments passed to the actual executable. On UNIX-like systems it also makes much sense to have all directories writeable by PHP applications mounted with noexec flag.

A working example of shell wrapper for GhostScript (you can add some logging if needed):

#!/bin/bash

GS_BASE_DIR="/path/to/temp/directory"

for T_ARG in "${@}"; do
        case "${T_ARG}" in
                '-d'*|'-q'|'-r'*x*|'-sDEVICE='*|"-sOutputFile=${GS_BASE_DIR}/"*|'-sOutputFile=-'|'-f-'|"-f${GS_BASE_DIR}/"*|"${GS_BASE_DIR}/"*|'-')
                        # OK - no op
                ;;
                *)
                        exit 254;
                ;;
        esac
done

exec /usr/bin/gs "${@}"
sam_pan_mariusz
  • 2,133
  • 1
  • 14
  • 15