Topic: [PHP] on 5.0 script is ok 5.1.2 error: open_basedir restrict

[Bas Konings]

I've made a script that makes a list of al the images in a folder of the primary site.
The script is running from an ibay.

On e-smith 4.1.1 its ok, on SME 5.0 its ok, but after an upgrade to SME 5.1.2 i receive an error :S

The error is: open_basedir restriction in effect.

In the PHP manual it states its something to do with safe_mode, but thats off in the default php.ini as far as i can tell.

Anyone have a solution?
What has changed and how can i undo it?

(piece of the script)


 $path="$imgupdir";
 $handle=opendir($path);
 while ($file = readdir($handle)) {
 $file_path = "$path/$file";
 if ($file != "." && $file != ".." && substr($file,0,1)!=".") {
 if(!is_dir($file_path)) {
 echo (" $file
");
 }
 }
 }
 closedir($handle);
 ?>

The line 2 creates the error apparently ... but on SME 5.0 its ok

[Charlie Brady]

Bas Konings wrote:

> On e-smith 4.1.1 its ok, on SME 5.0 its ok, but after an
> upgrade to SME 5.1.2 i receive an error :S
>
> The error is: open_basedir restriction in effect.
>
> In the PHP manual it states its something to do with
> safe_mode, but thats off in the default php.ini as far as i
> can tell.
>
> Anyone have a solution?
> What has changed and how can i undo it?

As a security feature, PHP code running from an i-bay is, by default, restricted to only accessing files within that i-bay. To change the default, from the command line, as root, do:

/sbin/e-smith/db accounts setprop foo PHPBaseDir  /home/e-smith/files
# Where 'foo' is the name of the i-bay, and /home/e-smith/files is the new
# Base directory you wish to allow access to (see PHP doco for details).
/sbin/e-smith/signal-event ibay-modify foo

Regards

Charlie

[Bas Konings]

Is this a new feature? In SME 5 and before this wasn't default.

[Johan]

Hi!
I have almost the same problem. I have a php script that is located in one i-bay that’s access and edit files in another i-bay. I can't get it to work with your solution. Is there anyway to shutdown this feature completely?

/Johan

[Dan York]

Bas Konings wrote:
>
> Is this a new feature? In SME 5 and before this wasn't default.

Yes, for a number of reasons, including the fact that I could
write a one-line PHP file that could expose *any* file on the
server, we needed to tighten up security for PHP.  Restricting
PHP access to just the i-bay directory was the chosen method
(I was not involved in the choice, so I do not know what other
options were considered).

Is there any way you can write your PHP script in the one i-bay
to call the files in the other i-bay via a URL on the server?
That should still work (but might not work the way you need
it to).

Dan

[Luke Drumm]

I've posted a how-to on how to disable the PHP basedir sandbox option here:
http://forums.contribs.org/index.php?topic=12706.msg47725#msg47725

Please take note of the security implications of doing this.

Regards,
Luke