PHP-FPM: Can't create files outside of vhost's root-dir (open_basedir not working properly)

[Sommerzeit]

Hi there

I'm trying to do a simple mkdir() in PHP outside of the vhosts root-dir (e.g. instead of creating a folder in "/var/www/vhosts/example.com" I want to create it in "/var/www/vhosts/other-vhost.com/static"). I've come to face two major problems:

1. I added the folder I want to create files inside (e.g. /var/www/vhosts/other-vhost.com/static) to the open_basedir-list. PHP recognized the change (phpinfo() listed the new open_basedir-entry), but the access to the folder was still restricted as if I had not changed the open_basedir-list (same restriction-error as before):

mkdir(): open_basedir restriction in effect. File(/var/www/vhosts/other-vhost.com/static/some_dir) is not within the allowed path(s): (/var/www/vhosts/example.com/:/tmp/:/var/www/vhosts/other-vhost.com/static/)

Adding the folder to the open_basedir-list was working when I ran my script on an older server using php 5.3 as an apache-module on Plesk 11.5

2. Then I set open_basedir to none. Now I'm only getting a "mkdir(): Permission denied" warning. The thing is: I set the chmod to 777 and even chowned the folder to the user php-fpm should be using (it is using the system user as assigned by plesk, isn't it?). Permission is still denied.

Currently I'm using PHP 5.6.13 (run as PHP-FPM handled by apache) on Debian 8.2 with Plesk 12.5. Creating files/folders inside the vhosts-root-dir is working like a charm.

Is there any other php/apache/linux-security-obstacle I have to bypass to make this work?

Example:
Plesk system user: example-user

.php-File:

/var/www/vhosts/example.com/httpdocs # ls -l
-rw-r--r-- 1 example-user psacln 1806 Oct 19 13:26 index.php

And I'm trying to write in this folder ("static"):

/var/www/vhosts/other-vhost.com # ls -l
drwxr-xr-x 6 example-user psacln  4096 Oct 19 11:31 static

/etc/php5/fpm/pool.d/example.com.conf (with open_basedir)

[example.com]
; Don't override following options, they are relied upon by Plesk internally
prefix = /var/www/vhosts/system/$pool
user = example-user
group = psacln

listen = php-fpm.sock
listen.owner = root
listen.group = psaserv
listen.mode = 0660

; Following options can be overridden
chdir = /

; By default use ondemand spawning (this requires php-fpm >= 5.3.9)
pm = ondemand
pm.max_children = 5
pm.process_idle_timeout = 10s
; Following pm.* options are used only when 'pm = dynamic'
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1

; Uses for log facility
; If php_value[error_log] is not defined error output will be send for nginx
catch_workers_output = yes

; php.ini custom configuration directives
php_value[max_execution_time] = 60
php_value[display_errors] = on
php_value[max_input_time] = 60
php_value[open_basedir] = "/var/www/vhosts/example.com/:/tmp/:/var/www/vhosts/other-vhost.com/static/"
php_value[error_reporting] = 32759