Find what paths are required for open_basedir?

xebeche

5/10/24, 7:54 PM

We have a server (running PHP-FPM 7.4 on Apache) that hosts various scripts, frameworks and applications like DokuWiki. It's grown to a pretty complex beast. We would like to apply an open_basedir restriction. Just setting a best guess open_basedir is bound to cause problems. Is there a way to find out the minimal set of the paths that are actually required?

If an open_basedir restriction could be made non-fatal, for instance, so that it logs warnings instead of errors, we could monitor these. But I found no way to make open_basedir non-fatal.

1 + 0

php

php-fpm

open-basedir

apache2

Score:2

Server

shodanshok

5/11/24, 5:34 PM

open_basedir can not be put into something similar to selinux "permissive mode", where would-be-denied accesses are logged but not really blocked.

My best advice is to use strace to look at openat system call from httpd or php-fpm. You can do that at runtime via the following command:

strace -f -e openat -p "$(pidof httpd php-fpm)"

To save strace output to a file, add -o /my/file.txt

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Find what paths are required for open_basedir?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.