Warning - is_readable(): open_basedir restriction in effect in Plugin.php(628)

Hi,

I am using Matomo 4.9.0 with no additional plugins installed. When I run the core:archive command containing an open_basedir restriction, I receive the following warning messages:

Call

/usr/local/php80/bin/php -d open_basedir="/sites/matomo/:/var/www/vhosts/###/sites/matomo/:/tmp/" -d memory_limit=512M /sites/matomo/console core:archive --no-ansi

Console Output

INFO [2022-04-23 01:00:45] 7445 ---------------------------
INFO [2022-04-23 01:00:45] 7445 SCHEDULED TASKS
WARNING [2022-04-23 01:00:45] 7445 /sites/matomo/core/Plugin.php(628): Warning - is_readable(): open_basedir restriction in effect. File(/var/www/vhosts/###/sites/matomo/plugins/API/Renderer/Console.php) is not within the allowed path(s): (/sites/matomo/:/var/www/vhosts/###/sites/matomo/:/tmp/) - Matomo 4.9.0 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already)
WARNING [2022-04-23 01:00:45] 7445 /sites/matomo/core/Plugin.php(628): Warning - is_readable(): open_basedir restriction in effect. File(/var/www/vhosts/###/sites/matomo/plugins/CoreUpdater/ReleaseChannel/LatestBeta.php) is not within the allowed path(s): (/sites/matomo/:/var/www/vhosts/###/sites/matomo/:/tmp/) - Matomo 4.9.0 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already)
INFO [2022-04-23 01:00:45] 7445 Starting Scheduled tasks…

Why does this warning appear although both paths are part of the open_basedir?

Thanks!

@Lukas @SteveG @innocraft any idea?

I personally don’t have any experience with open_basedir. But as the error comes directly from PHP I assume it is unrelated to Matomo.

And I assume only your server host can tell you more about why this occurs and how they set up PHP. Maybe there is an issue with symbolic links and the paths are not actually the same?

1 Like

I agree, that the error is thrown directly by PHP, but the question is: Where does Matomo get the information to access the internal path of “**/var/www/vhosts/###/**sites/matomo”? Normally, this path should be unknown to the application. Even the console root does not see part of the path before /sites/matomo/. It is not set in any PHP environment and also not passed via command line.

Isn’t PHP that runs in a wrong env path?

How could I check that?

This is the output of the PHP environment via getenv()

[SSH_CONNECTION] => ###
[LANG] => en_US.UTF-8
[XDG_SESSION_ID] => ###
[USER] => ###
[PWD] => /
[HOME] => /
[SSH_CLIENT] => ###
[SSH_TTY] => /dev/pts/3
[MAIL] => ###
[TERM] => xterm
[SHELL] => /bin/bash
[SHLVL] => 1
[LOGNAME] => ###
[XDG_RUNTIME_DIR] => ###
[PATH] => /usr/local/bin:/usr/bin:/bin:/usr/games
[_] => /usr/local/php80/bin/php

I read:
https://www.php.net/manual/en/ini.core.php#ini.open-basedir
But did not found anything interesting…

I think I somewhat understand the issue now.

The address “/var/www/vhosts/###/sites/matomo/” is the document_root when the Matomo website is accessed through Apache.
If the Matomo console is run directly from php command line, there is no Apache involved and the path above does not exist anywhere in the environment. The installation is located in “/sites/matomo” from the cli’s point of view.

Assumption: The matomo console reads the “/var/www/…”-address somewhere from its configuration. This path is only valid when run within Apache. Setting the “open_basedir” simply cannot work, because the path does not exist when run from cli.

Suggestion: The matomo console should always work with the paths relative to the “console” file. It already does it sometimes, e.g. geoip downloads to /sites/matomo work just fine.

I did some further analysis. The path “/var/www/vhosts/###/” is nowhere located in the matomo config directory. It is also not stored in the SQL database (except for geoip download history). The only other place, where the path string exists is in “/sites/matomo/tmp” and “/sites/matomo/tmp/cache”.

I ran console cache:clear and after that, the console core:archive did not present any open_basedir warning anymore. Unfortunately, the error reappears again after some time - maybe because the website was called from within apache in the meantime. So this looks like a caching issue within Matomo to me.