How do I dynamically create PHP Sandboxes

Question

I'm trying to set up an environment that would allow me to have one global script in PHP that can call other scripts located in subdirectories which act like plugins. However, I'm trying to make sure that the scripts in the subdirectories can only access the contents of their own subdirectory to make sure that I can enforce access control.

To illustrate: File A can call any other file and check their contents File B can only access scripts and files located in directory X File B cannot access file A or files located in any other dir than X (eg Y) File C can only access scripts and files located in directory Y File C cannot access file A or files located in any other dir than Y (eg X)

Additionally, I want to make sure that any subdir of X can be accessed by the scripts located in X.

Is there any way in a PHP + Apache environment to enforce this kind of behaviour in an automated, secure and scalable way?

Answer 1

PHP has a configuration directive called open_basedir , which "Limit[s] the files that can be accessed by PHP to the specified directory-tree, including the file itself." ( PHP Docs ) open_basedir is PHP_INI_ALL , so you can either set it via ini_set() before include() ing a file or communicate it via the command line directive -d .

If open_basedir is not enough, you possibly want the called scripts to run inside a chroot environment. See http://www.cyberciti.biz/faq/unix-linux-chroot-command-examples-usage-syntax/ for that. Be aware that this requires a lot of fiddling around with user rights because chroot wants to be run from root or a root-alike account. PHP also provides a chroot() function, but i think that one offers much less flexibility than a php-script that is invoked with chroot via the commandline.

Of course there is several other virtualization and sandboxing software out there. But these two solutions meet your goals closest, I think.