J3 Issue No Code Attached Yet
avatar ZerooCool
ZerooCool
1 Aug 2019

PHP Guidelines (open_basedir and upload_tmp_dir) - Server Configuration - Early Baldness

Steps to reproduce the issue

1-
From the file /etc/php/7.3/fpm/php.ini I disable both directives:
open_basedir and upload_tmp_dir

2-
I add (I try to add) both directives directly to the VirtualHost file.
I get there for open_basedir but not for upload_tmp_dir
SetEnv PHP_ADMIN_VALUE "open_basedir=/var/www/visionduweb.fr/:/tmp/"

I am not sure to understand what value to put in this link for tmp. Is :/tmp/ the "upload_tmp_dir" folder ?

3-
In the Joomla Administration, Joomla configuration, I set the Joomla tmp folder to point to a "joomla_tmp" folder that exists on the server. ( sudo mv /tmp /joomla_tmp )

4-
I also create a new tmp folder on the server, which should be the one used by "upload_tmp_dir"
sudo mkdir tmp
I put www-data: www-data for owner and group.
I put chmod 4706 tmp / to get a "non-world-readable directory" but I do not know if it's ok ?

Expected result

Joomla should not display a folder alert upload_tmp_dir not defined since Extensions / Warnings.

phpinfo () and phpsecinfo () should consider that open_basedir AND upload_tmp_dir are correctly defined.

Actual result

WONDERFUL!
Joomla no longer displays an alert for the undefined upload_tmp_dir folder from Extensions / Warnings.

The problem:
infophp () and phpsecinfo, they say that upload_tmp_dir is not defined! This is obviously the case because I did not know how to define upload_tmp_dir from the VirtualHost and that upload_tmp_dir is disabled since the global configuration of /etc/php/7.3/fpm/php.ini

Joomla will see that a folder joomla_tmp exists and a file tmp exists, but, do not understand that the directive, it is not defined! It's really strange !

My priority request

I appeal to the community to help me understand if I can redefine the value of upload_tmp_dir from the VirtualHost, with command of the type, but, for upload_tmp_dir :
SetEnv PHP_ADMIN_VALUE "open_basedir=/var/www/visionduweb.fr/:/tmp/"

I do not speak of .htaccess or php.ini from the website, only with the VirtualHost.

I am looking to be able to validate the two directives on infophp and phpsecinfo before going to read if Joomla is satisfied in Extensions / Warnings

I'm also trying to understand what is expected by upload_tmp_dir when we talk about " non-world-readable directory "

System information (as much as possible)

Debian Buster OVH VPS.

Additional comments

My notes in French to try to configure the VirtualHost with open_basedir and upload_tmp_dir :

https://wiki.visionduweb.fr/index.php?title=Installer_PHP#D.C3.A9finir_open_basedir_dans_le_Virtualhost_de_chaque_site

The PhpSecInfo project : https://github.com/ZerooCool/phpsecinfo

avatar ZerooCool ZerooCool - open - 1 Aug 2019
avatar joomla-cms-bot joomla-cms-bot - change - 1 Aug 2019
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 1 Aug 2019
avatar ZerooCool ZerooCool - change - 1 Aug 2019
The description was changed
avatar ZerooCool ZerooCool - edited - 1 Aug 2019
avatar ZerooCool ZerooCool - change - 1 Aug 2019
The description was changed
avatar ZerooCool ZerooCool - edited - 1 Aug 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 1 Aug 2019
Labels Added: J3 Issue
avatar franz-wohlkoenig franz-wohlkoenig - labeled - 1 Aug 2019
avatar ZerooCool ZerooCool - change - 1 Aug 2019
The description was changed
avatar ZerooCool ZerooCool - edited - 1 Aug 2019
avatar ZerooCool ZerooCool - change - 1 Aug 2019
The description was changed
avatar ZerooCool ZerooCool - edited - 1 Aug 2019
avatar ZerooCool ZerooCool - change - 1 Aug 2019
The description was changed
avatar ZerooCool ZerooCool - edited - 1 Aug 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 2 Aug 2019
Status New Discussion

Add a Comment

Login with GitHub to post a comment