2

I'm running an application on a VPS under Ubuntu 13.10 nginx and php5-fpm, The webserver has been set up very carefully following the best security practices. The app was written and tested to avoid any kind of injection, users input data is filtered, and they are not allowed to upload files either there is no upload form in the application, so even though the server was configured with strong restrictions and permissions only for users reading from, also a PHP directive open_basedir was set for tighten security and the default value is: 

open_basedir = /var/domain.com/public_html:/dev/urandom

Things it's going smoothly, but I've been watching php-fpm logs file and seeing quite often the following error:

EDIT: added missing File upload error information from the log file:

PHP Warning:  File upload error - unable to create a temporary file in Unknown on line 0
PHP Warning:  Unknown: open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (/var/www/domain.com/:/dev/urandom/) in Unknown on line 0

My doubt where is this coming from? The error did not point the file name either request details like IP etc,

Is my app or server compromised? or someone else faking an upload form and trying to upload files to the server, AFAIK its not possible as I have check it out and none files has been modified in computer files system.

As I'm very concerned about server security I can not figured that out! does anyone experienced this problem?

Adriano Rosa
  • 8,303
  • 1
  • 25
  • 25
  • I'm sure this warning is not related any hacking attempt. Applications usually need temp folder and developers use /tmp for this requirement. I believe your app try to create a files under the /tmp folder, this could be the reason why you getting this error. – Mehmet Ince Nov 26 '14 at 00:54
  • I edit a typo in my question, well @MehmetInce I'm still concerned, as the app do not make use of any resource that requires /tmp. – Adriano Rosa Nov 26 '14 at 01:10
  • Also maybe your app using disk based session data storing ( as an default ) . Because PHP uses /tmp folder in order to store session data. Could you check out sys_get_temp_dir for me ? from the command line just do php -r 'echo session_save_path(), "\n";' . Beside, you can change session data path http://php.net/manual/tr/function.session-save-path.php . But giving /tmp access permission won't cause any security hole. – Mehmet Ince Nov 26 '14 at 01:36
  • Yep the app is using disk based session store, I've checked that out so, `session.save_path=/var/lib/php5`, Although the default value for echoing sys_get_temp_dir is: `/tmp`. Another editing, I forgot to describe another important log information I received, as you can see updated above in the description, I think it may not be related to session store coz the log says File upload error, I do think this might be an attack attempt because that happened more than 200 times in a single minute. – Adriano Rosa Nov 26 '14 at 03:58

0 Answers0