Isolated Apache Virtual Hosts?

An anonymous reader writes: "Anyone ever had to set up virtual hosting on a server that allows CGI execution, etc? This seems to be simple, until you want to keep users out of each other's data. The Apache config seems straightforward enough, but I still haven't figured out the best way to set up the user groups on the box to keep them trapped in their areas and out of each other's business. I thought I could put each user in his own group to block prying eyes on the system side, then add the web user to all the other user's groups allowing him to get to their files, using suexec to prevent one user from using the web server to look at another user's files. This works well, but there seems to be a limit on the number of secondary groups a user can be a member of. So, the web user hits a wall at roughly 16 "customers" or user accounts. Any suggestions on how to improve on this and get beyond the limit? Or is there a better way to approach this than the group/suexec thing? Any pointers to online resources dealing with this type of config would be great..."

Re:Pretty easy, actually.

[willfe]

Hehehe yup, prepare to begin kicking :)

The problem with this arrangement is that unless you're serving up nothing but static pages (absolutely no CGI, PHP, mod_perl, or other types of programs running whatsoever), it's trivial to get at someone else's stuff. Unless you run processes with suexec, anyone could write a PHP or Perl script to cd ../other_user_dir and walk the tree. This works because without suexec, every single script and process forked on a user's behalf runs as the Apache user.

Of course, Apache itself has to have access to everyone's stuff, else it can't serve them up.

Also, unless properly configured, even with only static pages, you're still vulnerable to things like http://yoursite.com/~username/../other-user and so on.