Im trying to figure out if there is a way I can allow include files to a certain directory outside of the open_basedir by allowing the path in open_basedir, but at the same time, prevent fopen, file_get_contents, etc from opening files in those directories.
The idea is to prevent malicious clients from stealing the source code for the platform they only have license use of, and moving it to a different server without authorization.
Since the accounts are chrooted they cannot run shell_exec system commands or otherwise access the files from the shell, however since I have to allow them in open basedir to include the files, someone could write a script to replicate the file structure of the include path in the local account, and then ftp it down.
I would like to prevent that from being possible, if possible.
Disabling fopen etc is not an option.
Here's a long-shot:
Download PHP SRC: https://github.com/php/php-src/
Modify the php_check_specific_open_basedir function in https://github.com/php/php-src/blob/master/main/fopen_wrappers.h
To add this line, which returns -1 when your path is accessed:
PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path)
{
if (basedir == '/path/to/your/protected/area/') {
return -1;
}