You can use the open_basedir
directive in your php.ini to restrict the script to a directory, see documentation.
If you want different sites to have different restrictions the PHP instances must have different values of open_basedir
, which can be set up in apache on a per-virtual-host basis. See this question in stack overflow for more details.
However, note that open_basedir
does not apply to external commands executed using system()
and friends. If you want to be safe from that it would be best to move on to running several instances of php-fpm as different users or using suPHP. One of the answers to this question contains an explanation of how to set up the ownerships and permissions to only allow users access to their own files.