Mind of Matt

How to add additional directories to open_basedir with Froxlor?

Problem:

You are using the Froxlor open source webhosting admin panel, together with the Apache2 webserver and the mod_php5 PHP handler. You installed a PHP web application that wants to access files outside of its document root, or used an Alias Apache directive to the same effect. The vhost configuration for its domain is done inside Froxlor. And, you want to use the open_basedir PHP directive for added security.

The two  solutions below were tested with Froxlor 0.9.27.

Solution 1: Adding the same additional directories for all virtual hosts at once

In the Froxlor panel, go to "Server -> Settings -> Web Server Settings -> Configuration", where you'll find an option to append paths to the open_basedir setting of all your virtual hosts. Compared to the per-vhost setting below, this is a much simpler solution, so it is probably a good idea to add some standard paths here even if they're not needed by every single site. Like PHP Pear paths, for example.

Solution 2: Adding different directories for different virtual hosts

  1. Create this domain as a "main domain" within Froxlor. As, only main domains can have domain-specific vhost configuration. If you created it as a subdomain (that is, using a Froxlor customer user instead of an admin user), you have to delete it there and re-create it as main domain using an admin user. (Froxlor will not delete your domain's PHP etc. files when deleting it in Froxlor's panel). You can create a Froxlor "main domain" even for a subdomain, but be sure to set the "This domain is subdomain of:" setting correctly then.
  2. Disable the OpenBasedir setting for this domain. This is done in the settings while creating the domain, and can be changed later. It is needed to prevent Froxlor from generating an open_basedir setting, as we want to create our own custom setting for that below.
  3. Add your own open_basedir settings in "Own vHost Settings:". This is done in the settings while creating the domain, and can be changed later. You should enter there a line that includes both the values that Froxlor normally uses for open_basedir (namely, the document root directory and /tmp) and the additional values you need. So for example something like:
      php_admin_value open_basedir "/var/customers/webs/customer1/sub-example-com/:/tmp/:/usr/share/pear/"
    Note the two spaces in the front – this will nicely indent your line in the Apache config file 😉
  4. Re-create configs. For that, do one of these:
    • Execute this via SSH on the server:
      php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force
    • Wait until the next Froxlor cron job runs, which will also rewrite all vhost configs that need changes. (Clicking "Server -> Re-create configs" in Froxlor won't speed that up, it just queues additional config files for re-creation.)
  5. Restart Apache. Because the config changes will not be picked up in all cases automatically. So:
    service restart apache2
  6. Test the effect. Create a <?php phpinfo(); ?> script in a phpinfo.php the affected domain's document root, open it in your browser and look for the value of open_basedir.

Discussion

There would normally be a lot of alternative ways to solve this, but they're all blocked for various reasons:

  • You cannot simply change the Froxlor-generated vhost configuration file (for example /etc/apache2/conf.d/22_manual_fix_vhost_sub.example.com.conf) because your change will be lost when Froxlor re-generates all the config files after the next change done to any domain configuration in the Froxlor backend.
  • You cannot manually create another Apache configuration file, say /etc/apache2/conf.d/45_manual_fix_vhost_sub.example.com.conf, to overwrite the Froxlor-provided open_basedir setting with your own value. That's because (according to my tests at least), Apache2 will only accept the first <VirtualHost ...></VirtualHost> configuration directive it finds per named virtual host.
  • In PHP, there is no way to give open_basedir values globally in php.ini that would be appended to by the open_basedir directive. Instead, they will be overwritten. However there's a feature request for some time now to change that behavior.
  • There is no Froxlor setting to add another directory to every open_basedir line it generates, even though that would be helpful for things like PEAR.
  • You cannot provide this vhost configuration setting for all virtual hosts at once via the settings for one IP in Froxlor's "Server -> IPs and Ports" view. Because the open_basedir setting has to include a domain-specific value or it won't make much sense.

Posted

in

,

by

matt

Tags:

Comments

4 responses to “How to add additional directories to open_basedir with Froxlor?”

  1. How to add webmail as subdomain to every domain with Froxlor? « Mind of Matt

    […] setting in Froxlor at the same time, you will need to add some directories to open_basedir as explaines here. Check the Apache error log to know which ones; in the case of Roundcube, it was […]

  2. How to set up php-fpm together with Apache and Froxlor? « Mind of Matt

    […] directories to open_basedir. When using Froxlor with Apache and mod_php5, you could add site-specific values to open_basedir. When using PHP-FPM, this is no longer possible because site-specific values are now stored […]

  3. Krause

    Point 2 is not right. Individual Settings will only be written if OpenBasedir Switch is enabled.

  4. matt

    Me thinks it is. There are two solutions actually (I now made that clearer in the post): one global, one per-vhost. For the global one, you’re right: keep the open_basedir switch enabled. For the other one, to which the list of steps applies, we replace the usual Froxlor generated open_basedir line with our own, so we have to disable that switch in Froxlor.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.