"sandboxing" php-fpm

with libapache2-mod-php it is possible to use open_basedir to restrict access of phpmyadmin to files which are necessary for the software. This is not possible if phpmyadmin is running with fpm/fcgi.

This could be achieved by creating a systemuser which is used to run the php-process for phpmyadmin. Maybe we could ask the user if he wants to do this with debconf.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information