Webserver/Nextcloud not reachable after open_basedir change

It is suggested in the Hardening and security guidance to give PHP read access to /dev/urandom.
Sadly, after editing php.ini within the apache2 folder accordingly, my webserver is not reachable anymore.

Even though, /dev/urandom exist on my installation.

Thank you for any help.

Please provide the log files of nextcloud and web server.

Apache error.log:
[Sat Aug 17 14:20:13.113870 2019] [mpm_prefork:notice] [pid 20260] AH00169: caught SIGTERM, shutting down [Sat Aug 17 14:20:13.343445 2019] [mpm_prefork:notice] [pid 23331] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations [Sat Aug 17 14:20:13.343552 2019] [core:notice] [pid 23331] AH00094: Command line: '/usr/sbin/apache2' [Sat Aug 17 14:20:13.694848 2019] [php7:warn] [pid 23336] [client] PHP Warning: Unknown: open_basedir restriction in effect. File(/var/www/html/nextcloud/remote.php) is not within the allowed path(s): (/dev/urandom) i$[Sat Aug 17 14:20:13.694940 2019] [php7:warn] [pid 23336] [client] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0 [Sat Aug 17 14:20:13.694967 2019] [php7:error] [pid 23336] [client] PHP Fatal error: Unknown: Failed opening required '/var/www/html/nextcloud/remote.php' (include_path='.:/usr/share/php') in Unknown on line 0

These warnings and errors repeat themself than multiple times.

Nextcloud logfile is empty and shows only forbidden login attemps as I tested my fail2ban configuration.

Thanks for your help.

Look out for these error messages.
So apperently you only added /dev/urandom to the open_basedir parameter. However, this parameter needs to hold every path to PHP files, which you allow to be executed. Meaning you need to add at least your nextcloud path, you NC data path and all other paths which contain data you want to access via nextcloud.

So it may look something like this then:

open_basedir = "/var/www/html/nextcloud:/var/ncdata:/mnt/reports/:/run/php-fpm/php-fpm.sock:/var/lib/redis/redis.sock:/proc/meminfo:/proc/cpuinfo:/dev/urandom:/tmp
1 Like

Thank you for your help.

Adding your code created a couple additional errors within apache as well as nextcloud, and I added the paths, which caused the error, to open_basedir. Now I can reach Nextcloud via webserver again.

Missing arguments were /dev/fd and /proc/self/fd (seems relevant for external storage) and the paths to the nextcloud.log as well as the external storage. /var/ncdata was changed by me to the actual Nextcloud storage.

For now it seems to run without errors. Thank you very much.
Could you elaborate a little on the meanings of /dev/fd and /proc/self/fd?

Hope I really hardened the system now and didn’t mess it up.

Thank you.

Newer systems provide a directory named /dev/fd whose entries are files named 0,1, 2, and so on.

Some systems provide the pathnames /dev/stdin, /dev/stdout, and /dev/stderr. These are equivalent to /dev/fd/0, /dev/fd/1, and /dev/fd/2.

So /dev/fd is required by Nextcloud (or rather say PHP, as Nextcloud is just a PHP application which is further hardened by the open_basedir PHP parameter) to access stdin, stdout or stderr. Not sure what exactly it is needed for, but as you only opened the directories which NC required right now, you are pretty safe.
The open_basedir parameter will prevent every access to other paths you didn’t configure right now.
So yes, you rather hardened your system right now and didn’t weaken it :wink:

Thank you so much!