I hosting websites for several clients who do not have shell access. How do I prevent these users from exploring the system using PHP? Right now, I'm using suphp to their code as themselves, but they can still view files in other users' home directories, etc.
2 Answers
If you don't want to use chroot, you can set open_basedir and disable dangerous functions, such as system(), exec(), shell_exec(), passthru(), scandir(), popen() and proc_open()
Look into CHROOT
http://e.metaclarity.org/268/httpdsuexecchrootfastcgiphp/
The link provides detailed implementation instructions but basically, the goal is to execute php scripts in a jail or chroot
