# Open_basedir restriction in effect error

**URL:** https://discourse.roots.io/t/open-basedir-restriction-in-effect-error/2796
**Category:** bedrock
**Created:** 2015-01-22T14:40:48Z
**Posts:** 14

## Post 1 by @hknc — 2015-01-22T14:40:48Z

Hi, i’ve made a fresh local development setup with bedrock-ansible + bedrock + roots theme. Now when i am activating the roots theme, i am getting this errors:

```
Warning: is_writable(): open_basedir restriction in effect. File(/) is not within the allowed path(s): (/srv/www/:/tmp) in /srv/www/test.dev/current/web/wp/wp-admin/includes/misc.php on line 170

Warning: Cannot modify header information - headers already sent by (output started at /srv/www/test.dev/current/web/wp/wp-admin/includes/misc.php:170) in /srv/www/test.dev/current/web/wp/wp-includes/pluggable.php on line 1178
```

What is causing these error messages?

---

## Post 2 by @swalkinshaw — 2015-01-22T17:56:04Z

`open_basedir` is a PHP setting for better security. It means that PHP can only open files in `/srv/www/` and `/tmp` (which is a good thing).

For some reason it looks like it’s trying to open a file in just `/`. That error is actually from this line:

> <https://github.com/WordPress/WordPress/blob/a47a5a177973e51dbdd862cbd7622308caabfc2a/wp-admin/includes/misc.php#L170>

Not sure what’s going on with your install as `.htaccess` doesn’t apply using Nginx. I’ve personally never seen that error or heard of anyone having it before.

---

## Post 3 by @fullyint — 2015-01-24T01:25:19Z

I had a similar error once, related to the PODS plugin. As mentioned [here](https://github.com/pods-framework/pods/issues/1813#issuecomment-41158816), I added `session.save_path = /tmp` to my php.ini (e.g., to [`roles/php/templates/php.ini.j2`](https://github.com/roots/bedrock-ansible/blob/master/roles/php/templates/php.ini.j2) in bedrock-ansible).

If you choose to adjust `session.save_path` and you are using bedrock-ansible, note that bedrock-ansible already has a `session.save_path` setting in [`roles/wordpress-sites/templates/php-fpm.conf.j2`](https://github.com/roots/bedrock-ansible/blob/master/roles/wordpress-sites/templates/php-fpm.conf.j2#L15-L18). However, it is conditional, and would only conflict if you’ve set `memcached_sessions: true` (default is `false`) in [`roles/wordpress-sites/defaults/main.yml`](https://github.com/roots/bedrock-ansible/blob/master/roles/wordpress-sites/defaults/main.yml#L10).

---

## Post 4 by @hknc — 2015-01-24T11:02:49Z

Thanks for the explanations. I couldn’t find the problem so after i removed everything including vagrant box and made setup again, problem resolved. But i don’t know what was the cause.

---

## Post 5 by @jasperfrumau — 2017-05-09T05:33:28Z

I briefly had the same error after getting this update done :

```
composer update
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 0 installs, 4 updates, 0 removals
  - Updating johnpbloch/wordpress-core (4.7.3 => 4.7.4): Loading from cache
  - Updating johnpbloch/wordpress (4.7.3 => 4.7.4): Loading from cache
  - Updating wpackagist-plugin/woocommerce (3.0.4 => 3.0.5): Downloading (100%) - Updating squizlabs/php_codesniffer (2.8.1 => 2.9.0): Loading from cache
Writing lock file
Generating autoload files
```

The error I got was the same as mentioned:

```
is_writable(): open_basedir restriction in effect. File(/) is not within the allowed path(s): (/srv/www/:/tmp) in /../wp-admin/includes/misc.php on line 209
```

When I reloaded the site the error disappeared again. When I checked the error logs using  
`tail /srv/www/sub.domain.com/logs/error.log` I had zero data in the logs. Latest errors were from two months ago. Odd, really, but that is all I can say about it now. Perhaps a glitch?

---

## Post 6 by @GhostInTheMachines — 2018-03-22T18:18:56Z

This wordpress-sites directory must have changed since this posting in Jan 15. I can only find the php-fpm.conf.j2 file in roles/wordpress-setup/templates now since there is no wordpress-sites directory.

I just started using the Trellis/Bedrock packages, but I am also getting this error that I can’t seem to find any current instructions on how to correct this error.

Warning: is\_writable() [function.is-writable]:  
open\_basedir restriction in effect.  
File(/) is not within the allowed path(s):

Also, my roles/php/templates/php.ini.js looks like this:  
session.save\_path = {{ php\_session\_save\_path }}

Could I just add the extra / directory at the end preceeding it with a colon?  
e.x. session.save\_path = {{ php\_session\_save\_path }}:/tmp:/

---

## Post 8 by @Michael — 2020-03-18T22:00:20Z

If you need to temporarily remove basedir restrictions on the fly, here’s a where you can manually make the open\_basedir = none change. Keep in mind this is not the best practice but I’m sharing it to help you get out of a temporary jam.

```
php -v
    cd /etc/php/7.3/fpm/pool.d
    nano wordpress.conf
# change value to = none
    php_admin_value[open_basedir] = none
# quit + save
    systemctl restart php7.3-fpm
```

---

## Post 9 by @pacotole — 2022-10-21T15:57:20Z

I’ve recently had this problem on a few projects. The cause seems to be some WooCommerce payment gateway plugin that regenerates its endpoints on each query and force flush rewrite rules.

As says:

> [@swalkinshaw](#):
>
> `.htaccess` doesn’t apply using Nginx

So, you can safely disable write of `.htacces` file adding the filter:

`add_filter('flush_rewrite_rules_hard','__return_false');`

---

## Post 10 by @pacotole — 2022-12-27T16:46:06Z

About this error: In some of our projects we have had problems with random number generation with some plugin that did not use @ when accessing `'/dev/urandom'`. Also many PHP Notices records are generated in the error logs (WordPress uses it, `@is_readable('/dev/urandom')`, for password generation).  
I think it is safe to access the read-only file `'/dev/urandom'` and that’s why we added it in our Trellis:

`php_admin_value[open_basedir] = {{ www_root }}/:/tmp:/dev/urandom`

I can make a Pull Request if you find it useful for general use.

---

## Post 11 by @strarsis — 2022-12-27T17:31:11Z

Related discussion:

> [@Open_basedir issue with woocommerce gift certificates plugin](https://discourse.roots.io/t/open-basedir-issue-with-woocommerce-gift-certificates-plugin/24358/2):
>
> The plugin doesn’t have a filter for the temp folder / temp file paths? The PHP open\_basedir config is set by a jinja template (Trellis ansible): You would have to override it so you can specify your own open\_basedir values, e.g.: php\_admin\_value[open\_basedir] = {{ php\_open\_basedir }} And then set the php\_open\_basedir variable as with other variables, e.g. to {{ www\_root }}/:/tmp:/extra-path-the-plugin-is-hardcoded-to-use/ (The path delimiter/separator in POSIX/Linux/(here) is :).

---

## Post 12 by @sweeble — 2023-03-15T22:21:41Z

The following appears to be the cause of the open\_basedir error:

In core WP function `get_home_path()` in `wp-admin/includes/file.php` at line 107, there’s a `$pos` variable that gets the `strripos` of the relative path to the WordPress root directory (which in Bedrock is `/wp/`) in the full server path to the site root `index.php`, which returns `false` since site root `index.php` is outside of `/wp/` in Bedrock.

I haven’t thought through how to solve this, especially since `WP_SITEURL=${WP_HOME}/wp` in `.env` and `get_home_path()` uses that value. For `.htaccess` stuff, maybe it’s enough to disable hooks such as @pacotole [suggested](https://discourse.roots.io/t/open-basedir-restriction-in-effect-error/2796/9). But `get_home_path()` is still broken and unavailable for non-htaccess stuff.

Ideas, anyone?

---

## Post 13 by @strarsis — 2023-03-15T23:06:47Z

What you are describing appears in this issue (also related to Bedrock), is it the same?

> <https://github.com/wp-media/wp-rocket-cli/issues/27>
>
> Hi,
> 
> The regeneration command does not work when running bedrock (https://root…s.io/bedrock). It fails to detect the correct htaccess path from CLI and then it will stop to work here (htaccess.php line 33)
> 
> $htaccess_file = get_home_path() . '.htaccess';
> 
> if ( ! rocket_direct_filesystem()->is_writable( $htaccess_file ) ) {
> // The file is not writable or does not exist.
> return false;
> }

Here is another plugin that adjusted this part to Bedrock paths:  
[https://github.com/igniteB0T/litespeed-cache](https://github.com/igniteB0T/litespeed-cache)

---

## Post 14 by @sweeble — 2023-03-16T00:38:49Z

@strarsis, that does appear to be the same issue. What brought this to my attention was GiveWP that has a [Form class](https://github.com/impress-org/givewp/blob/a027b56ce5a7738e3f2ae7b39548a34bf9c47428/src/Route/Form.php#L66-L77) that hits the core WordPress [WP\_Rewrite](https://github.com/WordPress/WordPress/blob/bef26741528b7f6fe94609fc0855d982fd7f6d03/wp-includes/class-wp-rewrite.php#L1875) class without checking whether the server is nginx. I’m wondering whether this problem is fully dependent on plugin developers to solve, or if there’s a way for Bedrock to solve it.