PHP and/or Apache configuration to prevent file opening

webdbase

Suppose user directories are in:
/home
How to prevent the script
/home/john/script2.php
from opening
/home/george/script1.php
using fopen(), file(), etc.?

LordShryku

php.ini has this directive:

; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
disable_functions =

webdbase

OK, but what if I want to keep those functions within the scope of each directory?

quadmyre

AFAIK:
If you're on a shared server and that server is running as 'nobody' then there's no easy way to do this - the script can access any file accessible by the 'nobody' account and by definition for scripts to work they must be accessible to that account.
If your server is running in suexec mode than things are different in that the server runs as a user and is thus restricted to reading files accessible to that user.
Apache access controls are not relevant as it's not apache that's opening the files - it's the script that's running which doesn't check .htaccess files or restrictions in httpd.conf etc.

Anyone who knows better please feel free to correct me but that's how I understand it. This is one of the reasons people prefer real virtual servers / dedicated servers over shared servers.