artodeto's blog about coding, politics and the world

Since a few days (or weeks?), I discovered the following issue on one of my Arch Linux system.
Whenever I try to use PHP's composer, I got the following issue:

[ErrorException]
is_dir(): open_basedir restriction in effect. File(/etc/pki/tls/certs) is not within the allowed path(s): (/srv/http/ [...]

Well, it didn't hurt that much since I am using (like every cool webkiddy is doing) docker or vagrant for my development. But this time, I needed to solve it since it is a customer edge case - so I solved it.
The how to I will show you is not the perfect way. I had two things in mind, try to minimize the place I have to adapt the php.ini. And try to keep the system as normal as possible. Until now, I can not estimate the security holes I opened with this setting. I will let you know if this how to turns out to be a "don't try this at home" thing.

So, what have I done?
First of all, I asked curl to tell me where it is looking for certificates by executing:

curl-config --ca
#output: /etc/ssl/certs/ca-certificates.crt

After that I had a look what this path is:

ls -halt /etc/ssl/certs/ca-certificates.crt
#output: [...] /etc/ssl/certs/ca-certificates.crt -> ../../ca-certificates/extracted/tls-ca-bundle.pem

So, with that knowledge it turned out that the following steps are reflecting my requirements mention above.

sudo mkdir -p /etc/pki/tls/certs
sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-certificates.crt
sudo vi /etc/php/php.ini
#add following lines to "open_basedir" configuration section
# :/etc/pki/tls/certs:/etc/ssl/certs

And that is it, composer should now be back in business.