Plesk, PEAR, include_paths, open_basedir and Media Temple
If you follow my blog you’ll know that I’ve recently moved to Media Temple as my hosting provider. I’ve gone for a Dedicated Virtual server and so far I’m very pleased with the flexibility I have with it.
Media Temples’ servers, like many other providers, run Plesk as their control panel which means there are a few quirks that need to be overcome.
I should say at this point that I don’t claim to be a Linux/Plesk expert, i simple know enough to find my way around (or enough to be dangerous depending on who you’re asking).
Default behaviour
By default Plesk uses the PHP open_basedir directive to limit access to files outside a sites directory-tree. So if you have setup the domain example.com all your files go into the httpdocs folder (unless you’re using an SSL certificate in which case they go in the httpsdocs folder). For our example.com domain the server path would be:
/var/www/vhosts/example.com/httpdocs
Plesk’s default value for open_basedir is:
/var/www/vhosts/example.com
Which means any PHP script you place in the httpdocs cannot dig any further down the directory-tree than the example.com folder.
This is a security measure.
The problem
There are two scenarios (that I’ve come across) where this is a problem. The first is if you want to use PEAR, which is the scenario I’m most common with and will be covering the solution for here, and the second is if you want to use the Expression Engine Multi Site Manager.
Both require PHP scripts to access files outside of their directory-tree.
The solution
To enable access to PEAR packages we need to add the server path to the open_basedir variable as well as the include_path variable. If you’re on a Media Temple server like me the path should be:
/usr/share/pear
If not you’ll need to locate the folder that PEAR is installed in on your server.
Step 1 – SSH to the server
You need to SSH into your server, if you are with Media Temple and this is the first time you are trying to do this, you’ll first need to enable Root Access for your domain through your Media Temple Account Center.
If you’re on a Mac you can use Terminal to SSH to your server with:
ssh admin@example.com
Then your passworld.
If you’re on a PC you can use Putty. My memory is fuzzy on the exact use however, so you’ll need to consult the manual.
Once you are connected to your server you will need to switch user to root for the next step. To do this enter:
su - root
Then your password.
Step 2 – Create a vhost.conf file
Be careful, you now have godly control of your server!
We now need to create a vhost.conf file for our example.com domain which will override Plesk’s default settings.
The following command will create the file:
vim /var/www/vhosts/example.com/conf/vhost.conf
If you’ve never used vim (which is an editor for Linux) you need to know that pressing the ‘a‘ key puts you into author mode and the ‘esc‘ key takes you out (this is about the extent of my vim knowledge, I hope you are impressed!).
While in author mode enter the following information:
<Directory "/home/httpd/vhosts/example.com/httpdocs"> php_admin_value open_basedir "/home/httpd/vhosts/example.com/httpdocs:/usr/share/pear:/tmp" php_admin_value safe_mode Off php_admin_value include_path ".:/usr/share/pear" </Directory>
To save the file and quit, press the ‘esc‘ key to leave author mode and type ‘:wq‘ (write and quit) and press enter.
So you can see that we specify the location of our example.com domain, added /usr/share/pear to the open_basedire variable and turned off safe_mode…?
PHP documentation states that open_basedir isn’t effected by safe_mode being on or off however from my experience if you don’t have it turned off, PEAR doesn’t work, as I say I’m no expert so maybe someone can enlighten me?
You can also see that we set the PHP include_path to also include /usr/share/pear
A little gotcha
We use php_admin_value to set the include_path. This means that the include path cannot be change using the PHP set_include_path function.
If you want to be able to change the include_path from within your script, perhaps you want to include a folder containing your own classes for example, you need to change:
php_admin_value include_path ".:/usr/share/pear"
To:
php_value include_path ".:/usr/share/pear"
Step 3 – The scary bit! Reconfigure and restart apache
You now need to run the following command so that the server knows to use our new vhost.conf file:
/usr/local/psa/admin/sbin/websrvmng --reconfigure-vhost --vhost-name=example.com
And then restart apache:
/etc/init.d/httpd stop /etc/init.d/httpd start
Conclusion
That should be it, you’re all PEAR’ed up and ready to go. You should note that this configuration will only effect the example.com domain. If you create a new domain you’ll have to create a vhost.conf file for that domain as well.
9 Comments
To get your own globally recognized avatar visit http://www.gravatar.com/
Ian Atkinson 2nd, November 2009 at 5:01 pm
I'm sure you meant ':wq' not just 'wq' unless you want people stuck in Vim purgatory!
You should also restart Apache with 'apache2ctl graceful' not by interacting directly with the init job.
Ian.
Ryan Taylor 2nd, November 2009 at 9:47 pm
@Ian Thanks for point that out (updated now), Vim purgatory is no place to spend time, it's happened to me before.
As for your other point, for a Media Temple it would be 'apachectl graceful', I went with the init stop/start after reading a knowledge base article outlining an Apache restart, but you're quite right, that command is more proper, as I say I'm no expert. ;-)
jmcvearry 3rd, November 2009 at 9:52 pm
@ryanhavoc nice article here: http://bit.ly/1PZANs we should maybe chat about things :)
This comment was originally posted on Twitter
Doug Hagan 18th, January 2010 at 12:48 am
Ryan, you really saved my bacon here. I had a subdomain.example.com so the big SCARY wasn't necessary. Thanks so much for your post, this was a hair puller for me yesterday, betting my Flex app with php webservice deployed to a CentOS box with Plesk. Thanks again for taking the time to post. --Doug in Paia, HI
Ryan Taylor 18th, January 2010 at 9:54 am
@Doug - Glad you found it useful. :-)
Vincenzo Barranca 18th, January 2010 at 8:00 pm
Finally! i installed OpenX Ad Server and was getting a require_once() Pear error all because their script requires .:.:/usr/bin/pear in the include path...(yes .:.: not just .:) yours is the only website in all of google with that one line that finally made it all click for me!
Big Thank You!
Ryan Taylor 18th, January 2010 at 8:52 pm
@Vincenzo - Your welcome. Glad it helped. :-)
Jamie 1st, February 2010 at 12:41 am
You are a life saver!!
Thank you
Chris 10th, August 2010 at 4:21 pm
Great article! But, N.B.: I found this blog entry before I found the Media Temple KB article, and thought I'd leave a little update, as I got caught by not being able to read. The above instructions are all true for DV 2.x servers. For 3.x, the paths have changed so /home/httpd/ becomes /var/www/ in all cases.
Cheers!
Chris