This is a poor man’s implementation of PHP environment chrooting. Apache’s suexec is too hardwired to user homes. Suexec is probably more secure but this is more flexible.

Download code from github and follow instructions. Idea is quite simple. Prepend a simple PHP file for every script which will chroot the environment and change UID/GID. Only root can do this and running whole server as root is not good. So there is the php_cfg executable which is owned by root and it has SUID bit. It is a tiny wrapper around the original PHP5 CGI executable. Its task is to run as root (SUID bit, web server can run under any user) and execute the original PHP5 with given extra configuration including a directive to prepend our simple chrooting script. That’s it. Simple, small and without any security guarantees 🙂