So I'm setting up a shared hosting with Apache, PHP, MySQL and the biggest question mark is how to do with PHP, since there is a million options out there how to configure it securely.

The plan is:

• Chroot for MySQL (built in support for chroot)
• Chroot for Apache (mod_security)
• Each user executing their PHP-scripts as their own user (see below)
• Set open_basedir
• Disable all "evil" php-functions (allow_url_fopen, system, exec, and so on)

Ive looked at suexec and suphp but they seems very slow;

http://blog.stuartherbert.com/php/2007/12/18/using-suexec-to-secure-a-shared-server/ http://blog.stuartherbert.com/php/2008/01/18/using-suphp-to-secure-a-shared-server/

So I've looked some more and found some other solutions:

• apache2-mpm-itk + mod_php(?)
• mod_fcgid + php-fpm
• mod_fastcgi + php-fpm

Ive tried a simple setup with mod_fastcgi + php-fpm and it seems to work, runs as correct user and so on, but the protection against directory traveling is still open_basedir(?)

One solution for that could be to use php-fpm's chroot option, but that causes a lot of other issues like

• domain name resolver does not work
• sending mail does not work

Tips?