I have an apache 1.3 with multiple (>2000) virtual hosts who are able to run their own PHP scripts. I would like to tighten security for these and have already chrooted apache and tweaked various parameters in php.ini such as safe_mode, register_globals. The problem is that a php script on one vhost can still access data on other vhosts because apache, chrooted or not, is still single-threaded and running with the same UID. I tried fiddling a bit with "open_basedir" inside a VirtualHost and even if it did some good it didn't stop the system calls such as exec() and system() from reaching outside. I would feel happier if the VirtualHost could be properly isolated.
I know there is something happening in Apache2 (peruser MPM?) that looks promising but is there anything else I can do with 1.3?
I've been thinking of having an Apache proxy on port 80 and having chrooted individual web servers for each vhost but this would mean >2000 running web servers and I only have 1GB RAM to play with. I guess it would be a little bit better to have only Apache as proxy and, say, lighttpd or similar as the rest but still... has anyone actually tried and recommend this?
I'd appreciate it if anyone would comment on this. Thanks in advance!