One of the Coop members want to run phpBB on mother.
As discussed before, since mod_php runs as the apache user, any user on a server w/ mod_php access and knows a bit of PHP would have no problem walking over everybody else’s files, and worse, passwords and data files. The Coop members are trustworthy, but if a solution to this security problem can be found and implemented, then the Coop members would have a very valuable service to offer to others, e.g. clients.
Most virtual hosting providers implement server-side PHP w/ the CGI version, together w/ something like suEXEC, instead of mod_php. Since the CGI scipts (in PHP) run as a normal user, users do not get to look into the source files of other users. This solves the security problem, but performance of the CGI scripts suffers a lot. Not suitable for busy websites.
My solution is to run a separate apache instance (together w/ mod_php) in user space to listen on a higher port (e.g. 8081), and set up the main apache instance (which listens on the http 80 port) to act as a reverse proxy. A firewall may be utilized to block port 8081 from connections other than from the main apache instance if necessary. More instances listening on other ports may be installed for other users.
I wanted to run the user instances in a chroot environment, which would be very secure, as code running in such environment do not get to see the filesystem above a certain level. Unfortunately, the chroot() system code is only available to the root user.
In the initial test, It seems to work okay. A default instance takes about 5MB of RAM, which isn’t so bad. I would have to fine tune parameters such as number of processes to run, etc. but it should work.