Directory-based access control

[_qwerty_]

I'm trying to come up with a solution which allows me to implement directory-based access control.

Here is an example:
I have several domains

domain1.com
domain2.com
...
domainN.com

I have SuExec enabled to make sure that users can only access their own files, belonging to their domain. Now I want to implement a little bit more sophisticated access rules, namely
Inside domain1.com I have several projects:

domain1.com/project1
domain1.com/project2
…
domain1.com/projectN

each user has ftp access to a particular project that he owns. My question is how do I prevent user1 from accessing files of project2 using get_file_contents or readfile? As far as I understand SuExec can be applied on a domain level and here we trying to limit access to a particular folder inside domain. Any suggestions are highly appreciated!

Thank you!

 

[_qwerty_]

Anybody?
I wonder how come you guys have such small community around such great product.

Reading product description again:

"Access Control
Access control rules can be set at server, virtual host and per-directory (context) level."

Can this '(context)' be applied to my situation?

I can see
[Server Level]: lsphp5
[VHost Level]: $VH_NAME_lsphp

and I expect to find something like
[Directory level]: $VH_NAME_$DIR_NAME_lsphp

Am I going in a wrong direction?
Are there any product gurus,wizards, ninjas in the community? Please help!

 

[mistwang]

If you use apache httpd.conf, You can use

php_admin_value open_basedir "..."

with <directory> directives in vhost configuration to limit access.

If you use LSWS admin console, just add a context for each project, and apply above configuration via "Apache style configuration".

 

[_qwerty_]

php_value inheritance

Perfect! Thank you. Exactly what I wanted. Now I'm stuck with php_admin_value inheritance.

I created a context for each project (I have 60 of them - should i expect any serious performance impact?) and in 'Apache Style Configuration' for each context I put the following:

php_admin_value open_basedir ".:/var/www/domain01/project01/"

and it works fine.

Now for each project I'd like to allow access for common php libraries by adding them to open_basedir path. I've tried to set Virtual Host->General->Apache Style Configurations to

php_admin_value open_basedir ".:/usr/local/lib/php:/usr/local/lib/php/ZendFramework/library/"

but it looks like 'Apache Style Configurations' on context level overrides 'Apache Style Configurations' on vhost level.

So my first question
1) is there any way to enable simple inheritance so I don't need to explicitly specify path for external libraries for each created project?

I've tried different 'allow override' options but I guess it only applies to .htacess files which does not support php_value syntax in case of LiteSpeed.

2) I wonder if it's possible to use placeholders and define on vhost level something similar to this:

php_admin_value open_basedir ".:/var/www/domain01/$DIR_NAME/"

 

[mistwang]

Answers to both of you questions are "NO". you have to configure each directory individually.