[CentOS] Apache User Isolation/Perchild, or PHP "chroot"?

Wed May 2 12:04:28 UTC 2007
Barry Brimer <lists at brimer.org>

> Has anyone set up any form of apache user isolation on CentOS? I have
> multiple virtual hosts on my machine, run by users who do not trust
> eachother. The problem is that any php script run by apache is able to do
> things like raw file io on other users' .htpasswds, php scripts, hidden
> directory listings, and so on. Database passwords can even be divulged in
> this way, since they are often stored in .php scripts, which can be read
> "in the raw" as files by other php scripts.
>
> What is the easiest method for dealing with this? I found
> http://webauth.stanford.edu/manual/mod/perchild.html but it does not seem
> to be compiled with the CentOS 5 apache, and I've read elsewhere that php
> has issues with mutlithreaded apache. Is there any easy way to isolate
> individual users, by either having apache setuid, or chrooting php
> scripts, or (ugh) a clean way to run a new apache copy for each vhost?

There are a few links here discussing these issues.  I have read them, but 
not implemented them.

<http://www.linode.com/forums/viewtopic.php?t=2723>

Barry