how to add an open_basedir path in nginx vhost

In php.ini I've set

open_basedir = /home/user/web/

Now I would like to run phppgadmin on a subdomain which needs to include files from /usr/share/phppgadmin.
So I added the following line to the nginx-config for this host:

fastcgi_param PHP_VALUE open_basedir="/home/user/web/:/usr/share/phppgadmin/";

and restarted nginx. However, I can't access the site because of following error:

[error] 31440#0: *1 FastCGI sent in stderr: "PHP Warning: include_once(): open_basedir restriction in effect. File(/usr/share/phppgadmin/libraries/lib.inc.php) is not within the allowed path(s): (/home/user/web/) in /usr/share/phppgadmin/info.php on line 10

What could be the reason that the 2nd path isn't listed here? What else do I need to add an open_basedir to a virtual host? I only used the default file in /sites-available.

edit Always think of restarting fpm...

service php5-fpm restart

Solution 1:

For your particular situation, you should consider just adding /usr/share to the default open_basedir, since anything in there is designed to be read by the world anyway.

Plus, open_basedir is easily circumvented unless you have locked down shell_exec, exec, system and similar PHP functions so don't consider secured for using it (I know, it sucks).

If you're wondering how you can circumvent it easily, you can just system('php -n ascript.php');. The -n will cause no PHP.ini to be read, so no open_basedir will be applied.

Solution 2:

Just FYI, if you have nginx configs set for multiple vhosts (so, configs in /etc/nginx/sites-enabled/example.com) then you may need to set the fastcgi_param PHP_VALUE open_basedir= there:

    location ~ \.php$ {
            try_files $uri =404;
            fastcgi_param PHP_VALUE open_basedir="/var/www/:/new/path";
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
            fastcgi_index index.php;
            include fastcgi_params;