restrict php execution to DocumentRoot

[jstask82]

I noticed that PHP can access the complete user account, which you can prevent by set open_basedir to your DocumentRoot.

[jonmz]

While this can offer more security, it's not suitable as a general setting, as sometimes PHP application explicitly should access files outside of the DocumentRoot, for example the Nextcloud lab guide stores its files in $HOME/nextcloud_data and it's generally recommended to keep those files outside the DocumentRoot.

Additionally, it only offers limited protection. As long as PHP is still allowed to execute external commands (which people generally want), applications might be unable to directly read a file outside the DocumentRoot, but they can happily execute some external command like cat /home/blah/somefile.txt that can read those files. It can be a problem to provide a false sense of security here.

So while I'm not opposed to kinda "feature" this setting in our manual, I don't regard it as a general recommendation. If someone has sensitive data that should not be accessed by the installed applications, it would offer much better security to put them onto a separate account.

[luto]

As Jonas said this isn't something we can generally recommend. If you'd like to write more up detailed instructions as well as some pitfalls, we'd be happy to include this on lab.uberspace.de.