Open_basedir restriction after update to 26

Lots of issues after update from 25 - 26.

Log error

is_file(): open_basedir restriction in effect. File(/proc/cpuinfo) is not within the allowed path(s): (/home/xxxx/:/tmp:/var/tmp:/opt/alt/php73/usr/share/pear/:/dev/urandom:/usr/local/lib/php/:/usr/local/php73/lib/php/) at /home/xxxx/domains/domain.com/public_html/cloud/lib/private/Preview/Generator.php#351

Nextcloud 26.0
PHP 8.1

1 Like

Does anyone know…

yes.

But you did not provide any informtion about your system. When you need help, you must provide information.

You must change your

open_basedir = /home/xxxx/:/tmp:/var/tmp:/opt/alt/php73/usr/share/pear/:/dev/urandom:/usr/local/lib/php/:/usr/local/php73/lib/php/

to

; open_basedir

in your php.ini file. But I can not say in which php.ini file without further information about php (if fpm in use) and web server as well as underlying operating system

Sorry if I am being dense, but was the suggestion above to simply disable the open_basedir feature entirely? Why not just add /proc/cpuinfo to it instead?

The open_basedir is not been maintained, it still includes php73 directories. Nextcloud is secure enough IMHO, to disable open_basedir.
But of course, one could ad it as well but if this issue here already leads to a cry for help and the value has obviously not been maintained, I would recommend resetting the value, which is also the default.

So Adding /proc/cpuinfo alone is not enough, one have to adapt all the outdated pathes as well, which requires knowledge.

Right. Yeah it would be a lot better to fix the configuration instead of turning it off entirely. This feature is a good one in PHP IMO. But whatever!

1 Like

Okay, so what does it mean? ‘I would recommend resetting the value, which is also the default.’

We are on PHP 8.1 and did not have this log error before upgrading from 25 to 26

This is the commit where it is added. Previous versions, (pre 26 v26.0.0beta1) did not use this test.

As good as nobody uses the open_basedir directive, as you can see, you are the first to complain about this behaviour.

I get the same error after updating to v26 (also updated PHP from 7.4.33 to 8.2.3).

I cannot disable open_basedir since I can only alter the variables that I get through the servers LiveConfig.
Since Nextcloud is running fine, is there a downside except getting that line in my log forever?

I could imagine, that it brakes the generation of preview images.

Hi to all,

i think, i have the same issue after the nextcloud update from 25.0.6 to 26.0.1.

Fehler PHP is_file(): open_basedir restriction in effect. File(/proc/cpuinfo) is not within the allowed path(s): (/var/www/vhosts/xxx.xxx.xxx.net/xxx.de/:/tmp/:/var/lib/php/sessions:/var/www/vhosts/xxx.xxx.xxx.net/tmp) at /var/www/vhosts/xxx.xxx.xxx.net/xxx.de/nextcloud/lib/private/Preview/Generator.php#351

For me it is not quite clear what I can do to solve this issue and how the comments about it cloud help me. What I say for sure, I did not have the failure with Nextcloud version 25.0.x. I am using PHP version 8.1. With my hoster I can set the following two values for the “open_basedir”. Currently the value marked with Default is selected here.

Unfortunately, I can not do anything with the values in the settings that are there for selection.

If there is any information missing, I will be happy to supply it. I hope that someone can help me.

Thanks and greetings
Thomas

does anyone have any ideas?
Greetings

This is yet another thread where one must wonder if you guys are surrounded by psychics in real life… :wink:

This problem does not exist on a regular linux distro like Debian / Ubuntu etc., If you are using the default config of a LAMP Stack on such a distro. All you have to do, is apply the minimal config from the docs, install the required PHP modules, create a database and copy Nextcloud into the web root, and point your web browser to the IP address / FQDN of your server…

So, where and how did you install your Nextcloud in order to get that error…?

2 Likes

The cloud has been running for years and the problem has only been there since the update from version 25.0.6 to 26.0.1.
I can’t change much in the server settings because it is a hosted server. Nothing has been changed on it either.
I have limited access to the PHP.ini via Plesk.
The update was done via the web updater as usual.
The original installation via the webinstaller.
Well, I think the best way is as always to open a topic at Github, since I think it’s a bug from the app Preview.

Thanks

There you go…

If you are looking for support, you should open a new thread here and fill out the support template. If you want to report bugs, then yes, report them on the Nextloud GitHub, and if you are using web admin panels like Plesk, you should report it there too… In any case, you should mention that you are using Plesk, and also with which hosting provider you are using it, or if you installed it yourself, on which distro you installed it.

And by the way, it is funny that the word “Plesk” only appears in this thread, after I provoked it to appear. You and others seem to assume that web hosting panels like Plesk are some kind of a standard. Surprise, they are not, and with applications like Nextcloud, in a professional environment, they are not even common.

2 Likes

I do not see this as a bug but as a design error.

The number of cpus can, but in this case should not be read from /proc/cpuinfo for the reasons that lead to this issue here. Instead, it should be read with nproc (which is part of coreutils, ie present in the path environment of every Linux system).
For this purpose, the function getHardwareConcurrency() in lib/private/Preview/Generator.php should be changed as follows:

Old:

	/**
	 * Get the number of concurrent threads supported by the host.
	 *
	 * @return int number of concurrent threads, or 0 if it cannot be determined
	 */
	public static function getHardwareConcurrency(): int {
		static $width;
		if (!isset($width)) {
			if (is_file("/proc/cpuinfo")) {
				$width = substr_count(file_get_contents("/proc/cpuinfo"), "processor");
			} else {
				$width = 0;
			}
		}
		return $width;
	}

New:

	/**
	 * Get the number of concurrent threads supported by the host.
	 *
	 * @return int number of concurrent threads, or 0 if it cannot be determined
	 */
	public static function getHardwareConcurrency(): int {
		static $width;
		if (!isset($width)) {
			if (function_exists('exec')) {
				$exec_out = [];
				exec('nproc', $exec_out);
				$width = intval($exec_out[0]);
			} else {
				$width = 0;
			}
		}
		return $width;
	}

Since I am not restricted by PLESK, you could test if this works for you with the following script, which you should place into your webroot:

/home/xxxx/domains/domain.com/public_html/cloud/nproc.php

<?php
require_once 'lib/private/Preview/Generator.php';
use OC\Preview\Generator;
echo 'Hardware concurrency: ' . Generator::getHardwareConcurrency() . "\n";

Now call that script in console with
php /home/xxxx/domains/domain.com/public_html/cloud/nproc.php

it should return an echo like:

Hardware concurrency: 2

(in this example, there are 2 cpus)

If that script runs in your PLESK-restricted environment, you could file an issue for an enhancement (Feature request) here.
You can link to this thread for details.

EDIT: you must test this, since it could be possible, that a function like exec() is restricted (listed as ‘disable_functions = exec’ in php.ini).

You can find out if exec is available on your system with this command:

php -r "echo function_exists('exec') ? 'exec is available' . PHP_EOL : 'exec is not available' . PHP_EOL;"

(you have of course to replace php with the php you are using on your system, like you call the occ command)

3 Likes

Thanks again for your help.
I am on the road right now.
As soon as I’m back home, I’ll test it and give you feedback.

Our log gets flooded with (almost) the same lines after 25 > 26 update. The only difference is
php74 where its is php73 in the OP.
We have not noticed further issues so far.

We’re on shared webhosting based on Litespeed Web Server and DirectAdmin. Provider internettoday.nl. Nextcloud was installed using the web installer promoted here: Install - Nextcloud.

Details:

Nextcloud version : 26.0.1
Operating system and version : Linux 3.10.0-962.3.2.lve1.5.79.el7.x86_64 #1 SMP x86_64
Apache or nginx version : Apache/2 (litespeed)
PHP version : 8.1.17

The issue you are facing: same as OP above

Is this the first time you’ve seen this error? Y

Steps to replicate it:

  1. update 25.0.5 > 26.0.1 (via 25.0.6 and 26.0)
  2. look ub /index.php/settings/admin/logging

The output of your Nextcloud log in Admin > Logging:

[PHP] Error: is_file(): open_basedir restriction in effect. File(/proc/cpuinfo) is not within the allowed path(s): (/home/<account>/:/tmp:/var/tmp:/opt/alt/php74/usr/share/pear/:/dev/urandom:/usr/local/lib/php/:/usr/local/php74/lib/php/) at /home/<account>/domains/example.com/public_html/cloud/lib/private/Preview/Generator.php#351

GET /index.php/core/preview?fileId=464&c=c5edf881068c4f84bc6c9eb94f3cdcc9&x=375&y=375&forceIcon=0&a=1
from 2a10:3781:15:1:64d0:faf:896:88ea by <admin account> at 2023-04-23T20:44:04+00:00

(as it seems this line appears at any activity)

The output of our config.php file in /path/to/nextcloud :

{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "cloud.example.com"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "26.0.1.1",
    "overwrite.cli.url": "https:\/\/cloud.example.com",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "mail_smtpmode": "smtp",
    "mail_smtpsecure": "tls",
    "mail_sendmailmode": "smtp",
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "587",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpauthtype": "LOGIN",
    "mail_smtpauth": 1,
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "maintenance": false,
    "theme": "",
    "loglevel": 2,
    "default_language": "nl",
    "default_locale": "nl_NL",
    "defaultapp": "files",
    "default_phone_region": "NL",
    "skeletondirectory": "\/home\/<account>\/domains\/example.com\/public_html\/clouddata\/skeleton",
    "templatedirectory": ""
}

The output of your Apache/nginx/system log in /var/log/____: we have no access to that.

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

[Sat Apr 22 00:10:47.369999 2023] [ssl:warn] [pid 3548:tid 140332246354048] AH01909: www.cloud.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 22 00:24:45.679993 2023] [ssl:warn] [pid 3548:tid 140332246354048] AH01909: www.cloud.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Sat Apr 22 01:56:39.407407 2023] [authz_core:error] [pid 1131188:tid 140330959476480] [client 185.81.157.178:55732] AH01630: client denied by server configuration: /home/<account>/domains/example.com/public_html/cloud/.env
[Sat Apr 22 04:17:57.462229 2023] [authz_core:error] [pid 1568317:tid 140330791622400] [client 185.81.157.178:52064] AH01630: client denied by server configuration: /home/<account>/domains/example.com/public_html/cloud/.env

The editing of generator.php seems to work in my Plesk environment. I haven’t got the error message for 35 min. now.

When I save the script and call it, I, however, get the following message:

Warning: require_once(lib/private/Preview/Generator.php): failed to open stream: No such file or directory in /httpdocs/comnomad/nproc.php on line 2

Fatal error: require_once(): Failed opening required ‘lib/private/Preview/Generator.php’ (include_path=‘.:/usr/local/php74/share/php74’) in /httpdocs/comnomad/nproc.php on line 2

I’m on php 8.

The path lib/private/Preview/Generator.php is relativ to the webroot.
you must place that script in your webroot (the place where occ is)

Or you can change the script and give the absolute path to Generator.php.