Can chroot to PHP's DOCUMENT_ROOT var?

Anon

Curious if you can tell PHP to chroot to a users $DOCUMENT_ROOT
path.

I'm using a bunch of Apache rewrite rules to map the document root
to the users web directory. The DOCUMENT_ROOT variable doesn't
get updated with the final outcome of apache's rewrite rules; It stays
set to the variable in apache's httpd.conf file.

I'm wondering if I could use the rewrite rules, then have PHP trap the user
in a chroot jail, so that when they use require/include, they could specify
"/setup.php" instead of,

// Get Document Root
$root = SubStr($SCRIPT_FILENAME, 0, Strrpos($SCRIPT_FILENAME, "/") );
include "$root/setup.php";

Another reason to do this, is that I'd love to be able to hide the directory
layout to protect my users against any malicious ones.

Thanks for any help,
-Allan

ruttiger

good question.
i just wanted to letcha know about dirname and basename functions if you didnt already know about them...'little easier than the substr call.

$root = dirname($SCRIPT_FILENAME);

i'd like to know if you figure this out tho.

Anon

Wow a year ago and no response. If anyone does figure this out or if there is some new method to JAIL a user that would be awesome. It seems like it would add serious security concerns as in perl w/o suexec.

Anon

Actually --

I haven't implemented it yet, but I believe this is possible. Look in the security section. If you use SAFE-MODE, and a couple other settings, you can make it pretty safe (it seems). I believe you can set certain directories that are allowed and some that are not

check it out --- if youre still looking into it

or if you've done it -- did it work?