I'm setting up a webserver for my students to try their php code on. On the webserver I'll have a folder for each student and I don't want code that the students upload to their folder to change/read/execute files outside of the students folder.
Is there anyway to address this problem without setting up a VPS for each student?
On
Is that what you're looking for? If yes, this is a php.ini setting. In order to put this into your web server config in every virtualhost section, we need to know:
If there is a separate configuration and virtualhost for every student, consider adding
php_admin_value open_basedir "/path/to/this/student/folder"
to the virthost config
Marc B suggested a chroot jail - but like VPS, this effectively entails running at least seperate FPM pools for each student.
A simpler solution would be to use the open_basedir functionality to constrain scripts to their own directory tree. You can enable this in the webserver config on a per directory basis - but I don't think there is an easy way to map the paths calculated by mod_userdir, i.e. you'll need lots of
(This might merit a further question on Serverfault to see if anyone knows a better way of solving this more specific problem).
There are some loopholes which allow you to get access to files outside the open_basedir restriction. The symlink bug is fixed, but not sure about the IMAP holes. Best to use a recent, patched version of PHP with Suhosin and do some further research.
Having said that - unless its a very short course, you might want to provide them ewach with a VM image which they can then use to explore other aspects of service provision.