Open_basedir changes not updating on domain

vincurekf · February 26, 2021, 7:42am

Hello everyone,
I have Hestia v1.3.3 installed, this morning I did an update and since then I can’t access one of three websites.

I have checked apache2 and nginx status, both running without issues.
The error I am getting is open_basedir restriction in effect:

open_basedir restriction in effect. File(/home/xtvcz/web/xtv.cz/public_html/vendor/autoload.php) is not within the allowed path(s): (/home/xtvcz/web/xtv.cz/public_html/public:/home/xtvcz/web/xtv.cz/public_shtml:/home/xtvcz/tmp:/var/www/html:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/phppgadmin:/etc/roundcube:/var/lib/roundcube:/tmp:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt)

For a file that is definitely within allowed paths.
My custom (s)tpl file is configured as follows:

php_admin_value open_basedir %docroot%:%home%/%user%/tmp:/home/%user%/web/%domain%/public_html:/home/xtvcz/hddarchiv:/home/xtvdata/web/moneys.xtv.cz/public_html

Resulting configuration file in /etc/php/7.4/fpm/pool.d/xtv.cz.conf:

php_admin_value[open_basedir] = /home/xtvcz/web/xtv.cz/public_html/:/home/xtvcz/hddarchiv:/home/xtvcz/web/xtv.cz/public_shtml:/home/xtvcz/tmp:/var/www/html:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/phppgadmin:/etc/roundcube:/v>

It looks like my template file is not somehow registered by php-fpm/apache?
I have tried rebuilding domain from admin panel and rebuilding user with

v-rebuild-user xtvcz

But with no luck.
Is there any other path these template files are being compiled to?

Another thing is I have other domain dev.xtv.cz, that uses the same configuration templates, and is working correctly.

Thank you for any help.

eris · February 26, 2021, 7:51am

What file did you update exactly?

https://docs.hestiacp.com/admin_docs/server_management.html#how-can-i-change-settings-for-a-specific-domain

vincurekf · February 26, 2021, 7:56am

I have updated these files:
/usr/local/hestia/data/templates/web/php-fpm/PHP-7_4.tpl
/usr/local/hestia/data/templates/web/apache2/xtvcz-PHP-7_4.stpl

Both of which are set as active in domain settings:
xtv-config

eris · February 26, 2021, 8:04am

Web template should be the default.tpl (Unless you made other changes)

And Backend Template should be come xtvcz-PHP-7_4.tpl containing:

; origin-src: deb/php-fpm/multiphp.tpl

[%domain%]
listen = /run/php/php%backend_version%-fpm-%domain%.sock

listen.owner = %user%
listen.group = www-data
listen.mode = 0660

user = %user%
group = %user%

pm = ondemand
pm.max_children = 8
pm.max_requests = 4000
pm.process_idle_timeout = 10s
pm.status_path = /status

php_admin_value[upload_tmp_dir] = /home/%user%/tmp
php_admin_value[session.save_path] = /home/%user%/tmp
php_admin_value[open_basedir] = /xxxxxxx:/home/%user%/web/%domain%/public_html:/home/%user%/web/%domain%/private:/home/%user%/web/%domain%/public_shtml:/home/%user%/tmp:/var/www/html:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/phppgadmin:/etc/roundcube:/var/lib/roundcube:/tmp:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f admin@%domain%

env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /home/%user%/tmp
env[TMPDIR] = /home/%user%/tmp
env[TEMP] = /home/%user%/tmp

It should work straight out of the box after you replaced: /xxxxxxx with the correct path

vincurekf · February 26, 2021, 8:27am

I have created the file, updated domain and rebuild user.

But the error message displays slightly different open_basedir configuration.

...is not within the allowed path(s): (/home/xtvcz/hddarchiv:/home/xtvcz/web/xtv.cz/public_html/public:/home/xtvcz/web/xtv...

My TPL config if as follows:

php_admin_value[open_basedir] = /home/xtvcz/hddarchiv:/home/%user%/web/%domain%/public_html:/home/%user%/web/%domain%/private:...

I forgot to mention I have set custom root in web settings:
custom-root

I suspect this might be causing the issue because even though the open_basedir rules are being updated (according to the error message, open_basedir rule is different than before), the paths are almost the same except the added public after

/home/xtvcz/web/xtv.cz/public_html/

Should I add anything else in the TPL config?

eris · February 26, 2021, 8:41am

If you are using an custom dir you made add the full path the open base dir

vincurekf · February 26, 2021, 8:59am

Here is how my /usr/local/hestia/data/templates/web/php-fpm/xtvcz-PHP-7_4.tpl looks:

; origin-src: deb/php-fpm/multiphp.tpl

[%domain%]
listen = /run/php/php%backend_version%-fpm-%domain%.sock
listen.owner = %user%
listen.group = www-data
listen.mode = 0660

user = %user%
group = %user%

pm = ondemand
pm.max_children = 8
pm.max_requests = 4000
pm.process_idle_timeout = 10s
pm.status_path = /status

php_admin_value[upload_tmp_dir] = /home/%user%/tmp
php_admin_value[session.save_path] = /home/%user%/tmp
php_admin_value[open_basedir] = /home/xtvcz/hddarchiv:/home/xtvcz/web/xtv.cz/public_html/public:/home/%user%/web/%domain%/public_html:/home/%user%/web/%domain%/public_html:/home/%user%/web/%domain%/private:/home/%user%/web/%domain%/public_shtml:/home/%user%/tmp:/var/www/html:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/phppgadmin:/etc/roundcube:/var/lib/roundcube:/tmp:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f admin@%domain%

env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /home/%user%/tmp
env[TMPDIR] = /home/%user%/tmp
env[TEMP] = /home/%user%/tmp

Here is how the produced /etc/php/7.4/fpm/pool.d/xtv.cz.conf file looks:

; origin-src: deb/php-fpm/multiphp.tpl

[xtv.cz]
listen = /run/php/php7.4-fpm-xtv.cz.sock
listen.owner = xtvcz
listen.group = www-data
listen.mode = 0660

user = xtvcz
group = xtvcz

pm = ondemand
pm.max_children = 8
pm.max_requests = 4000
pm.process_idle_timeout = 10s
pm.status_path = /status

php_admin_value[upload_tmp_dir] = /home/xtvcz/tmp
php_admin_value[session.save_path] = /home/xtvcz/tmp
php_admin_value[open_basedir] = /home/xtvcz/hddarchiv:/home/xtvcz/web/xtv.cz/public_html//public:/home/xtvcz/web/xtv.cz/public_html/:/home/xtvcz/web/xtv.cz/public_html/:/home/xtvcz/web/xtv.cz/private:/home/xtvcz/web/xtv.cz/public_shtml:/home/xtvcz/tmp:/var/www/html:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/phppgadmin:/etc/roundcube:/var/lib/roundcube:/tmp:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f [email protected]

env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /home/xtvcz/tmp
env[TMPDIR] = /home/xtvcz/tmp
env[TEMP] = /home/xtvcz/tmp

Should this work ok?
It does not work only on one domain xtv.cz, the other one dev.xtv.cz which uses the same configuration works.

vincurekf · February 26, 2021, 9:13am

UPDATE:

The initial problem was in the open_basedir configuration.
@eris solution worked. Thank you!

My last reply had another issue, after sudo apt upgrade, php7.4-memcached was not installed and the site silently failed without giving any error. Unrelated to this thread.

Thanks again @eris have a great day!

Closing.

system · March 28, 2021, 9:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.