how to add an open_basedir path in nginx vhost

For your particular situation, you should consider just adding /usr/share to the default open_basedir, since anything in there is designed to be read by the world anyway.

Plus, open_basedir is easily circumvented unless you have locked down shell_exec, exec, system and similar PHP functions so don't consider secured for using it (I know, it sucks).

If you're wondering how you can circumvent it easily, you can just system('php -n ascript.php');. The -n will cause no PHP.ini to be read, so no open_basedir will be applied.


Just FYI, if you have nginx configs set for multiple vhosts (so, configs in /etc/nginx/sites-enabled/example.com) then you may need to set the fastcgi_param PHP_VALUE open_basedir= there:

    location ~ \.php$ {
            try_files $uri =404;
            fastcgi_param PHP_VALUE open_basedir="/var/www/:/new/path";
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
            fastcgi_index index.php;
            include fastcgi_params;