How to configure ‘open_basedir’ for Matomo to enhance security?

Why should I configure open_basedir?

PHP’s open_basedir restriction helps enhance security by preventing PHP scripts from accessing files outside of a specified directory. This is particularly useful for Matomo, as it allows the installation of custom plugins, which could potentially attempt to access files outside of Matomo’s intended directory.

By properly configuring open_basedir, you can ensure that Matomo and its plugins can only access the necessary files within its installation directory, reducing the risk of unauthorised file access.

Assuming your Matomo installation is located in /srv/www/matomo, you can restrict PHP file access to this directory using the open_basedir directive.

Configure the php ini file

If you have access to the php.ini file, add or modify the following line:

open_basedir = "/srv/www/matomo:/tmp"
  • /srv/www/matomo: Ensures Matomo can only access files within its own directory.
  • /tmp: Some plugins or PHP functions may need temporary file access.

Configure in Apache (if using Apache)

If you are using Apache and cannot edit php.ini, you can set open_basedir in your VirtualHost configuration:

<Directory /srv/www/matomo>
    php_admin_value open_basedir "/srv/www/matomo:/tmp"
</Directory>

Configure in Nginx (if using PHP-FPM)

If using Nginx with PHP-FPM, set open_basedir in the php-fpm.conf or pool configuration file (e.g., /etc/php/7.x/fpm/pool.d/www.conf):

php_admin_value[open_basedir] = "/srv/www/matomo:/tmp"

Using .htaccess (if allowed)

If your server allows .htaccess configurations for PHP settings, you can add:

php_value open_basedir "/srv/www/matomo:/tmp"

What happens if a plugin tries to access files outside this directory?

If a plugin attempts to access files outside of /srv/www/matomo, PHP will prevent the operation and display a warning like:

Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/srv/www/matomo:/tmp) in /srv/www/matomo/plugins/SomePlugin/script.php on line X

If a necessary plugin fails due to this restriction, review its requirements and consider adding additional allowed paths only if strictly necessary.

Can I test if open_basedir is working?

Yes, you can check your current setting by creating a PHP file (e.g., test.php) inside /srv/www/matomo with the following content:

<?php
echo ini_get('open_basedir');
?>

Access this file in your browser (e.g., https://your-matomo-url.com/test.php), and it should return:

/srv/www/matomo:/tmp

If the output is empty or different, check your server configuration to ensure open_basedir is correctly applied.

Conclusion

Setting open_basedir for Matomo enhances security by limiting PHP file access to the necessary directories. However, take note that some plugins may require additional paths, so test your setup carefully after applying this restriction.

Previous FAQ: How do I prevent Super Users from doing specific high risks administrative actions?