> Has anyone set up any form of apache user isolation on CentOS? I have > multiple virtual hosts on my machine, run by users who do not trust > eachother. The problem is that any php script run by apache is able to do > things like raw file io on other users' .htpasswds, php scripts, hidden > directory listings, and so on. Database passwords can even be divulged in > this way, since they are often stored in .php scripts, which can be read > "in the raw" as files by other php scripts. > > What is the easiest method for dealing with this? I found > http://webauth.stanford.edu/manual/mod/perchild.html but it does not seem > to be compiled with the CentOS 5 apache, and I've read elsewhere that php > has issues with mutlithreaded apache. Is there any easy way to isolate > individual users, by either having apache setuid, or chrooting php > scripts, or (ugh) a clean way to run a new apache copy for each vhost? There are a few links here discussing these issues. I have read them, but not implemented them. <http://www.linode.com/forums/viewtopic.php?t=2723> Barry