I would like to upload files (php sites/applications) to given directory and run them there, within my web server. However, already a simple shell_exec call can cause serious consequences.
All the things I can think of are setting the pages directory outside the public_html and setting the permissions automatically so that the user running that page doesn’t have any rights outside it.
Other mediocre solution I’ve found so far is runkit_sandbox, which looks quite unsecure solution, specially as it seems to be abandoned.
Is there really no way? Not even with full shell access (shell scripts)?
No. There are a virtually unlimited number of malicious behaviors that user-uploaded code can engage in, many of which closely resemble legitimate behavior (e.g, sending mail vs. sending spam; accessing external APIs vs. perpetrating a DDoS; running a command-line utility vs. running an exploit; managing files vs. deleting everything). There is generally no “canned” way to do this, and definitely none within PHP.