配置PHP应用程序以安全地运行多个站点

I have a question regarding PHP but We need to restrict PHP script to run securely. Ideally it should be like this:

1. the Core code will be located outside of the public_html, like /etc/app/

2. all sites will use the same core. Each site 'user' should be restricted within the public folder only, Code in core however should be readable and executable but not editable

I'm thinking we can add this to open base dir or can symlink it to each site and set it on the same group with all the sites users (and thus have read/execute permission to that)

I'm really new to this kind of setting so I wonder if there is soething I overlook?

--- Edit

More info:

1. I'm using php5-fpm
2. I'm following this tut to make sure the script is run under a specific user/group
3. By running securely, what I meant is that even if the user is allowed to upload their own script, they should not have the power to do anything that may affect other accounts (such as putting malicious files on others' accounts, editing the core files, etc...)

One way to do this is by simply putting the path to symofny2 in your include_path directive in the php.ini file. So when you use include, require PHP will try to find the desired file by looking in the include_paths and provide it.

The only thing you'll need to do is to secure the files

• chown -R root.root /path/to/symfony2_core
• find /path/to/symfony2_core -type f -name "*.php*" -exec chmod 755 {} \;

Keep in mind not to make apache or php the owner of the files as this can be used as an exploit. (i.e. if the http server is the owner, in some scenarios a user can overwrite the files simply by executing shell_exec('echo "do something nasty here." > /path/to/symfony2_core/Kernel.php'))