Let's assume that I have a web server with 50 virtual hosts. This web server is apache2 running as user nobody and has php installed. I've set php's OPEN_BASEDIR option for every VHost, so I can restrict the users' IO access outside their directories. Now I want to install MP2 on the same server. I am setting a different interpreter pool for every VHost. And now how do I make sure that VHost1 user doesn't open($file, "<", "/www/VHost2/mysql_user_and_pass.pl").
You basically can't.
What you really want is running different vhosts under different user accounts, and that's what the Apache2-bundled perchild MPM was meant for, but that was never finished. There's also the metux MPM project which was meant to replace the perchild MPM, but that project seems to be mostly dead, too. Which is a pity, since this means one less major feature that might have made users switch to Apache2.
I don't know what exactly PHP tries to do with open_basedir, but I don't believe that it can achieve real security separation without using real user accounts (and a quick web search confirms that).
-- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
