PHP - a different open_basedir per each virtual host

Question

I\'ve came across on this problem, I have a sever running apache and php. We have many virtual hosts but we\'ve noticed that a potentially malicious user could use his web s

Answer 1

It is possible to set open_basedir on a per-directory basis using the php_admin_value Apache directive.

Example from the manual:

  php_admin_value open_basedir /docroot 

Re your comment: yes, external commands are not affected by open_basedir - when calling ls / this is done with the rights the user account PHP runs under (often named www or similar). As far as I know, it is not possible to extend open_basedir to external commands.

In that case, I don't think the kind of protection that you're looking for is possible in a normal Apache/PHP setup. The only thing that maybe comes close is running Apache in a chroot jail. I haven't done this myself so I can't say anything about it - you'd have to dig in and maybe ask a question specifically about that.