Can PHP be restricted to work in certain folder only?

Question

I'm almost sure that PHP is always able to go anywhere on the server and do anything with any files but I'm wondering if there's a way to restrict it to work only in one folder and what would be requirements?

I mean I've got let's say 50 WordPress installations, 50 folders. If a virus from untrusted plugin affects only 1 installation - it instantly goes to 49 other, too (because PHP can scan all the directories on server).

Is there any way to prevent that? If virus breaks into 1 installation of WordPress - I want it to stay only there.

My hosting provider said it's not possible without buying another server. What is your opinion?

Answer 1

With php-fpm you can chroot php workers (for absolute separation) and give every php application its own user and php configuration (timeouts, memory limits, etc.). You don't have to use chroot to have unique users. With simple file permissions you can make the webroots unreadable to anyone not the dedicated user for that webroot. Also this is not specific to Apache, works any other webserver that supports fastcgi.

A little easier to set up way could be relaying on php's open_basedir (there's a dispute of how secure open_basedir is since php's developers frequently fixes bugs related to this feature)

Answer 2

You can install suEXEC and run PHP in FastCGI mode. With this configuration you are allowed to run the PHP instances under different users.

I didn't try this tutorial myself but it looks good to me: How to set up PHP FastCGI with suEXEC on Debian