Ubuntu
php5 package

Ubuntu 9.10 Maverick - after update on 11 01 2011 open_basedir not working any more

Asked by Dan Demeter

Hello,

I'm currently administrating 2 Ubuntu servers with the main purpose of web hosting.
This morning, the one with 9.10 auto-updated the php5 package to 5.2.10.dfsg.1-2ubuntu6.6 . Since then, ALL websites hosted (which worked fine until now ) show an message like :

Warning: Unknown: open_basedir restriction in effect. File(/var/hosting/sites/*/public_html/index.php) is not within the allowed path(s): (/var/hosting/sites/*/public_html/:/tmp/) in Unknown on line 0

I am using open_basedir restricion in apache virtual host as follows :
        <Location />
                php_admin_value open_basedir "/var/hosting/sites/*/public_html/:/tmp/"
        </Location>
The strange fact is that even if I set open_basedir to "/" I get the same result .
The only way to avoid this error is to comment out the rule in every virtual host file, and then all works fine. But again, I can't do that on a production server.

What should I do ? As far as I can tell , there is this similar bug in PHP 5.2.15 . http://bugs.php.net/53516
Should I try to use the maverick packages ( put the correct lines in /etc/apt/sources.list) and try to update php5 again ?

Thanks a lot,
Dan

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu php5 Edit question
Assignee:
No assignee Edit question
Solved by:
Dan Demeter
Solved:
Last query:
Last reply:
Revision history for this message
Jeruvy (jeruvy) said : 		#1

You may wish to seek a PHP forum for assistance if you do not find a solution here.
I found this link which should help direct you to the solution:

http://bytes.com/topic/php/answers/7819-open_basedir-errors

Good luck.

Revision history for this message
Dan Demeter (xdanx) said : 		#2

Hello,

You didn't get my problem. I know how to fix open_basedir problems.

The scenario is like this :

12.01.2011, Karmic Ubuntu :

06:00 AM - Before the update: php5 5.2.10.dfsg.1-2ubuntu6.5 - All sites were working normally.
06:30 AM - Unattended updates updated php to version php5_5.2.10.dfsg.1-2ubuntu6.6
From 06:31 AM - All sites crashed.

I Had to install from an unofficial ppa PHP 5.3 for Karmic.
It seems I was right as another update was pushed today :

php5 (5.2.10.dfsg.1-2ubuntu6.7) karmic-security; urgency=low

  * debian/patches/php5-CVE-2010-3436-regression.patch: update
    main/fopen_wrappers.c to include fix for open_basedir restriction
    regression (LP: #701896)

FROM https://edge.launchpad.net/ubuntu/+source/php5/5.2.10.dfsg.1-2ubuntu6.7

Unfortunately, I had angry clients calling me that their website is not working and I was not aware of it.
I'm out, have a nice day,
Dan

Revision history for this message
Jeruvy (jeruvy) said : 		#3

Actually I did, this problem is due to regression patch as you noticed.
I take it you don't actually test patches before pushing them out to production servers, which imho is a bigger problem.

Glad you are back in business.

Revision history for this message
Dan Demeter (xdanx) said : 		#4

Hmm.. Sorry then for my post, I thought you didn't get my question correctly.

Until now I was using the policy "Automatically update security upgrades"... It didn't fail me until now.
For normal upgrades I test them before, but should I be setting manual upgrades for security updates too ?

In that case, do you know any list/feed/webpage which I can subscribe to be notified of security updates ?
I am subscribed to some lists but.. any info is helpful.

Thanks,
Dan

Revision history for this message
Jeruvy (jeruvy) said : 		#5

No worries, just wanted to clear that up.

Automatic updates are ok for non-critical desktop systems (aka 'most people who use a computer').
Using them on more critical systems is I would hazard a guess 90% ok to do, the problem is those 10% that do this to you.

To get information on updates, there are numerous lists and redundant lists which I'm not a big fan of. The ubuntu USN RSS feed is at:

http://www.ubuntu.com/usn/rss.xml

The Debian one is a good source of 'up and comers' in Ubuntu:

http://www.debian.org/security/dsa-long

There is also the #ubuntusecurity twitter feed, this seems to be all USN information releases so it looks official. I'm not certain if it is.

http://twitter.com/#!/ubuntusecurity

The official USN site is at:

http://www.ubuntu.com/usn

Good luck.