PHP - a different open_basedir per each virtual host
It is possible to set open_basedir
on a per-directory basis using the php_admin_value
Apache directive.
Example from the manual:
<Directory /docroot> php_admin_value open_basedir /docroot </Directory>
Re your comment: yes, external commands are not affected by open_basedir
- when calling ls /
this is done with the rights the user account PHP runs under (often named www
or similar). As far as I know, it is not possible to extend open_basedir
to external commands.
In that case, I don't think the kind of protection that you're looking for is possible in a normal Apache/PHP setup. The only thing that maybe comes close is running Apache in a chroot jail. I haven't done this myself so I can't say anything about it - you'd have to dig in and maybe ask a question specifically about that.
You can set many php.ini settings using the Apache configuration file.
See these related pages from the PHP manual:- http://php.net/manual/en/configuration.changes.php- http://www.php.net/manual/en/ini.core.php#ini.sect.path-directory- http://www.php.net/manual/en/configuration.changes.modes.php
chroot is a good idea. And now docker is more effective.
and open_basedir with "/docroot" is not security ,you should end with a "/" or PHP can access /docroot1