Problems after defining open_basedir

Crafter · March 6, 2021, 7:07pm

Hello together,
I just installed the Plugin PhpSecInfo and in the the security overview I got the advice to set an open_basedir, so I defined the matomo installation directory on my server as open_basedir in the root .htaccess of my matomo installation:

php_value open_basedir "/is/htdocs/user/www/matomo/"

But now I get the following errors in the security check:
Core
upload_tmp_dir: unable to retrieve file permissions on upload_tmp_dir
Session
save_path: unable to retrieve file permissions on save_path

What is the problem and how can I fix it?

Lukas · March 7, 2021, 3:38pm

Hi,

Keep in mind that the PhpSecInfo library has not been updated since around 2009 and therefore I would keep its recommendations with a grain of salt:

github.com/matomo-org/plugin-SecurityInfo

Replace PhpSecInfo with something more modern

opened 09:33AM - 02 Dec 18 UTC

Findus23

As this is the most downloaded Matomo plugin and the description recommends usin…g it > We highly recommend that all Matomo administrators enable the SecurityInfo plugin, and then view the Settings. The plugin is a tool in a multilayered security approach. we should make sure that the recommendation it gives are up to date. Unfortunately the development for PhpSecInfo seems to have stopped in 2007 or 2009 and while there [have been some fixes to make it work with newer PHP versions](https://github.com/matomo-org/plugin-SecurityInfo/commits/master/PhpSecInfo/PhpSecInfo.php), I am not sure if the recommendations are still correct and (more importantly) if not some important recommendations are missing. But I couldn't find many alternatives. https://github.com/sektioneins/pcc seems to be newer, but it doesn't seem to have a way to get the results apart from echo. If someone knows a better alternative, please comment here.

The errors are also not security errors, but rather errors that the tests can’t run.

Crafter · March 7, 2021, 7:45pm

Thanks, that makes me really wondering because it was recommended in matomos guide.
Though I found a way to fix the erros. While districting the php scripts access with the “open_basedir” flag to the matomo directory only, the scripts didn’t had access to the upload tmp dir and save path anymore. So with “sys_get_temp_dir()” I was determining the temporary directory of my server and also add it to the open_basedir.