How do I limit PHP apps to their own directories and their own php.ini?

Question

I am running multiple PHP apps on my Mac, running OS X 10.5.6, Apache 2, PHP 5. I have subdomains setup for each project, a host file entries for each subdomain, and Virtual Directory blocks in the Apache config. So

project1.localhost goes to /Library/WebServer/Documents/Project1
project2.localhost goes to /Library/WebServer/Documents/Project2
etc...

However, this method doesn't really "isolate" the web apps. For example, if I include a script like so:

<?php
include("/includes/include.php");
?>

It references the script from the base directory of my computer. So it accesses
C:/includes/include.php

Is there a way for me to make it reference
C:/Library/WebServer/Documents/Project2/includes/include.php

Basically, make it so that its not aware of anything outside of its own directory. Also, is there a way to use php.ini's on a per subdomain basis as well?

Answer 1

Try a relative path! Like:

<?php
include("./includes/include.php");
?>

or

<?php
include("includes/include.php");
?>

Answer 2

If you want to use full path name, you can use that:

<?php
include  dirname( __FILE__ ) . '/includes/include.php';
?>

---

Possible solution for php.ini file

Answer 3

You can limit a scripts ability to see anything above a specific folder tree by adding the open_basedir directive a folder block in the httpd.conf file. It should look like:

<DIRECTORY /full/path/to/folder/containing/script/>

php_admin_value open_basedir "/full/path/to/top/folder/of/desired/tree/"

</DIRECTORY>

One thing - if you don't end the path with a / then it's a wildcard match. In other words, "/var/etc/my" will match "/var/etc/myFolder" as well as "/var/etc/myMothersFolder", while "/var/etc/my/" will only match that exact folder name.

Answer 4

Regarding application isolation ~ is this in regards to securing PHP scripts so they cannot access others? Please elaborate -

Regarding php.ini - I am not aware of any way to use a specific php.ini per directory, but you could certainly create a php include page with a bunch of ini_set() lines, perhaps something like this ..

<?php
  // in your header or along top of all php modules in your pap
  require_once ( '/path/to/includes/ini_set.php' );

  // ...

?>

and the ini_set.php script:

<?php
  // one of these for each override of defaults set in php.ini file --
  ini_set ( $varname, $newvalue );
  ini_set ( $varname, $newvalue );
  ini_set ( $varname, $newvalue );
?>

If you are interested in learning more about the ini_set() function, here is the documentation page on php.net: http://us3.php.net/ini_set

Hope this was somewhat helpful ~

Answer 5

I believe it's possible to set a php.ini per virtual host

<VirtualHost *:80>
    ...

    PHPINIDir /full/path/to/php/ini/

</VirtualHost>

this way you can customize open_basedir and others

Answer 6

Best way to do so is to use PHP via FCGI (mod_fcgid). This way you can run PHP using a different user and a different php.ini per vHost.

Here's an example how to set up such a configuration on Ubuntu: http://www.howtoforge.com/how-to-set-up-apache2-with-mod_fcgid-and-php5-on-ubuntu-8.10