Securing PHP via open_basedir based on script path

I have several users running PHP scripts on a server and I'd like to lock it down so that their scripts can only access files in their www directory (it doesn't use linux user accounts, so there isn't a home directory).

open_basedir seems like the obvious choice but how can I set that parameter based on where the script is running from? Obviously the value for open_basedir would be different for each user.

I'm running PHP5-FPM - PHP5 as a FastCGI process which nginx connects to - on Ubuntu 11.04

Any help or advice appreciated!


Solution 1:

I've discovered the solution - php.ini directives based on the file path or request host. From the documentation:

[HOST=dev.site.com]
open_basedir = /var/www/dev.site.com

or

[PATH=/var/www/dev.site.com]
open_basedir = /var/www/dev.site.com

Solution 2:

Assuming you're using Apache, you should be able to set it within each VirtualHost instance with:-

php_admin_value open_basedir /path/to/restrict/to

Resist the temptation to use ., as the user can still change directory with chdir.

http://php.net/manual/en/ini.core.php has a bit more information, too.