I'm setting up a webserver for my students to try their php code on. On the webserver I'll have a folder for each student and I don't want code that the students upload to their folder to change/read/execute files outside of the students folder.
Is there anyway to address this problem without setting up a VPS for each student?
Marc B suggested a chroot jail - but like VPS, this effectively entails running at least seperate FPM pools for each student.
A simpler solution would be to use the open_basedir functionality to constrain scripts to their own directory tree. You can enable this in the webserver config on a per directory basis - but I don't think there is an easy way to map the paths calculated by mod_userdir, i.e. you'll need lots of
<Directory "/home/Gurgy/public_html">
php_admin_value open_basedir "/home/Gurgy/"
</Directory>
<Directory "/home/MarcB/public_html">
php_admin_value open_basedir "/home/MarcB/"
</Directory>
...
(This might merit a further question on Serverfault to see if anyone knows a better way of solving this more specific problem).
There are some loopholes which allow you to get access to files outside the open_basedir restriction. The symlink bug is fixed, but not sure about the IMAP holes. Best to use a recent, patched version of PHP with Suhosin and do some further research.
Having said that - unless its a very short course, you might want to provide them ewach with a VM image which they can then use to explore other aspects of service provision.