phpmyadmin complains about permissions and open_basedir - but they all appear correct

Question

phpmyadmin has been installed and working fine for months, installed via this repo:

deb http://ppa.launchpad.net/tuxpoldo/phpmyadmin/ubuntu utopic main

Suddenly, I couldn't login; no in-page errors but the logs showed:

PHP message: phpmyadmin: Failed to load /etc/phpmyadmin/config-db.php Check group www-data has read access and open_basedir restrictions"
PHP message: phpmyadmin: Failed to load /var/lib/phpmyadmin/config.inc.php Check group www-data has read access and open_basedir restrictions"

So, I checked:

ll /etc/phpmyadmin

drwxrwxr-x   3 www-data www-data  4096 Nov 16 20:11 ./
drwxr-xr-x 132 root     root     12288 Nov 17 15:33 ../
-rw-r-----   1 www-data www-data   549 Nov 16 20:11 config-db.php

and

ll /var/lib/phpmyadmin

drwxr-xr-x  4 www-data www-data 4096 Oct  8 15:51 ./
drwxr-xr-x 62 root     root     4096 Nov 12 13:10 ../
-rw-r-----  1 www-data www-data 4478 Nov 16 19:48 config.inc.php

I followed this SO answer and changed the user and group permissions to match the example (user:root, group:www-data) and changed the directory permissions to match.

I double, triple checked that no open-basedir restrictions are in effect, and I checked phpinfo()
I tried changing the permissions to be that of the fpm worker pool.
I rebooted.
I did an sudo apt-get install --reinstall phpmyadmin.

The ONLY thing I've done inbetween is to follow this guide to installing freePBX, and 90% of what it wanted was on my machine anyway; only things like sqlite were installed, and I can't even be sure it was that which stopped it working. Long shot, but perhaps worth mentioning.

Everything else, all other sites etc, are running fine. Before I lose any more hair than I have done in the last 5 hours, I'd really appreciate some ideas. Thanks!

Answer 1

Turns out this is a rather misleading message from phpmyadmin:

Check group www-data has read access and open_basedir restrictions.

But anyone running multiple sites, using php-fpm and concerned at all about security will have separate pools for each site.

The solution, in my particular case was:

chown -R phpma:phpma /var/lib/phpmyadmin
chown -R phpma:phpma /etc/phpmyadmin
chown -R phpma:phpma /usr/share/phpmyadmin

Then sudo dpkg-reconfigure -plow phpmyadmin

Incidentally, it appears that doing a package install on Ubuntu splatters files all over the place, and it goes a little something like this:

/etc/phpmyadmin/config.inc.php

includes the following files in this order, which really won't need touching unless you want to up the login cookie validity.

/var/lib/phpmyadmin/blowfish_secret.inc.php // self explanatory
/var/lib/phpmyadmin/config.inc.php // LoginCookieValidity etc
/etc/phpmyadmin/config-db.php // Leave this one alone
/usr/share/phpmyadmin/config.inc.php // auth, host, connection etc

I hope this helps someone else at any rate.

Answer 2

This is certainly due to the fact you are using mpm_itk_module.

If yes, you have to use in your apache settings :

<ifmodule mpm_itk_module>
AssignUserId myuser www-data
</ifmodule>

instead:

<ifmodule mpm_itk_module>
AssignUserId myuser myuser
</ifmodule>

phpmyadmin need group www-data, and if you use AssignUserId, with another group it fails off course.

And you can add to you apache config in "Directory":

php_admin_value open_basedir "/home/yourpath/htmldir:/etc/phpmyadmin:/var/lib/phpmyadmin"

Replace /home/yourpath/htmldir by your own web dir.

I hope this help