Shared hosting with apache and php, security concerns

[Scott Haneda]

I somehow get the feeling this is going to be a complex issue.  While I
understand security is more a policy than something that can just be turned
on and off, for my environment, I need to make some changes to the way
apache works, and I can not seem to find the answer.

If this is covered in a article somewhere, please point me to it.

Currently I am hosting a few sites on a OS X Client box, running apache and
php, I will not be moving to apache 2 anytime soon.  From what I can gather,
any file that needs to be served on the web needs to be world readable for
apache to be able to send the page out to the visitor.  World readable files
are of course, readable by anyone.  This is fine in the case of html files,
but when you get to server parsed files, such as those in php, there can be
sensitive data in them.

I guess the first thing is I need to hope that php does not ever die, if it
were, raw code would be sent out to the browser, and in that raw code could
be for example, connection data to a database.  I can also instruct users to
secure the include files elsewhere, so they will not see those sensitive
files in the event php were to fail.

The trouble I am having is I am able to read outside the current directly
and traverse the entire files system with php using its abilities to read
files.  I can not read files that apache does not have permission to read,
but those that it does, I can.  For example, if I were to create a php file
reading tool and tell it to go up one directory from my directory that holds
all my web files, I would be in my root folder, up one more, and I would see
a list of directories that were named the domain names of many other sites I
am serving, if I were to jump into one of those sites and look around, I
could locate say, some file called conf.incl.php and in that I would see
some connection data to a database, from there, I could delete data from the
database.

How do you prevent this?  I am sure since there are so many
cheapPHPhosting.com type sites out there, this is either a problem they all
have, or one they have figured out how to fix.

I think I need to "jail" all php, perl etc stuff to a particular users
directory, but I am not sure how to do this.  Certainly it can be done by
setting the files to have permissions that do not allow anyone other than
the owner to read them, however, that wont do you much good to allow apache
to serve them either.

What tradeoffs in inconvenience will I have to live with to offer shared
hosting in a secure way?

-- 
-------------------------------------------------------------
Scott Haneda                                Tel: 415.898.2602
http://www.newgeo.com                       Fax: 313.557.5052
scott at newgeo.com                            Novato, CA U.S.A.