Community Documentation

Drupal with safe mode enabled and open basedir

Last updated September 3, 2006. Created by ednique on September 3, 2006.
Log in to edit this page.

This is still undergooing some changes as I'm doing more tests...
But it works on a clean drupal 4.7.3 install...

I haven't tested all modules yet, so please help me out...

Simply: use safe mode based on groups rather then owner and give access to my central code base for virtual hosts so that open base dir works...

You need to be logged in using ssh as root...
And mind you my examples are from a plesk based system...
With a central code base located in /var/www/apps/drupal
and the virtual hosts directory in /var/www/vhosts/{domain}.{tld}/httpdocs/

1) create a group and a user called drupal...
After -d you can put any home directory you like, but I choose the directory where my drupal code is installed...
after the passwd you need to give a GOOD password for the user...

groupadd drupal
useradd -d /var/www/apps/drupal -g drupal drupal
passwd drupal

2) Change the owner and the group of the single code base...
If you don't have a single code base, only changing the group (chgrp) is enough

chgrp drupal -R /var/www/apps/drupal
chown drupal -R /var/www/apps/drupal

3) For the virtual hosts, change the group of the sites directory
Also all directories under sites should be chmod to 2775: 2 puts all new subfiles created automatically into the group of the folder they are placed in (drupal in our case) + 7 for owner (root or drupal or ftpusername) + 7 for group (drupal) + 5 for guests
If you have any more directories under sites, chmod them too

chgrp drupal -R /var/www/vhosts/{domain}.{tld}/httpdocs/sites
chmod 2775 /var/www/vhosts/{domain}.{tld}/httpdocs/sites
chmod 2775 /var/www/vhosts/{domain}.{tld}/httpdocs/sites/default

4) Add the users to the group
Plesk has a psaserv group don't worry if you don't have it...
The drupal group needs the psaadm and psaftp only if you run plesk

vi /etc/group
psaserv:x:2523:apache,psaftp,psaadm,drupal
drupal:x:10002:drupal,apache,psaftp,psaadm,{user_of_ftp_account_of_virtual_host}
restart service apache

5) correct the tmp dir by creating a sub directory and putting the drupal group and user on it...

mkdir /tmp/drupal
chmod 2775 /tmp/drupal
chgrp drupal /tmp/drupal
==> in admin change to /tmp/drupal

6) alter the code of file.inc so directories are made using 2775 rather then 775

find: @chmod($directory, 0775);
replace: @chmod($directory, 02775);

Actually my version of PHP has a bug and doesn't put the 2!!!
I have to remember to chmod myself then...

7) change your virtual host settings of httpd.conf
In plesk this is done in: /var/www/vhosts/{domain}.{tld}/conf/vhost.conf
Other systems might have another place for the conf which is the configuration for your httpd server..
With this code I have made sure that only the drupal directories benefit from group based safe mode (safe_mode_gid)... all other directories still use the default safe mode
Remove the second DirectoryMatch in case you want all files and folders to benefit from group based safe mode...
As I have a central code base in /var/www/apps/drupal, I need to add this dir to the open basedir... and again only for the drupal directories off course...

#
# allow all documents below this dir access to drupal core
#

<DirectoryMatch "^/var/www/vhosts/{domain}.{tld}/httpdocs">
        <IfModule sapi_apache2.c>
                php_admin_flag safe_mode on
                php_admin_flag safe_mode_gid on
                php_admin_value open_basedir "/var/www/apps/drupal:/var/www/vhosts/{domain}.{tld}/httpdocs:/tmp"
        </IfModule>
        <IfModule mod_php5.c>
                php_admin_flag safe_mode on
                php_admin_flag safe_mode_gid on
                php_admin_value open_basedir "/var/www/apps/drupal:/var/www/vhosts/{domain}.{tld}/httpdocs:/tmp"
        </IfModule>
</DirectoryMatch>


#
# now limit for all directories below root that are not includes or modules
# users want other apps installed too... so no access to drupal
#

<DirectoryMatch "^(/var/www/vhosts/{domain}.{tld}/httpdocs/)(?!includes/|modules/).*/">
        <IfModule sapi_apache2.c>
                php_admin_flag safe_mode on
                php_admin_flag safe_mode_gid off
                php_admin_value open_basedir "/var/www/vhosts/{domain}.{tld}/httpdocs:/tmp"
        </IfModule>
        <IfModule mod_php5.c>
                php_admin_flag safe_mode on
                php_admin_flag safe_mode_gid off
                php_admin_value open_basedir "/var/www/vhosts/{domain}.{tld}/httpdocs:/tmp"
        </IfModule>
</DirectoryMatch>
Login or register to post comments

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.

About this page

Drupal version
Drupal 4.7.x

Installation guide

Drupal’s online documentation is © 2000-2012 by the individual contributors and can be used in accordance with the Creative Commons License, Attribution-ShareAlike 2.0. PHP code is distributed under the GNU General Public License. Comments on documentation pages are used to improve content and then deleted.
nobody click here