chrooting CGI/PHP

I've been playing with chrooting PHP scripts and making them run as the domain's user, not as 'www' (this is on FreeBSD). What I want to do is have this hierachy under each domain's folder:

bin/ - basic binaries like ls/rm/cp
mail/ - for mail
www/ - HTML/PHP/CGI files
software/ - software I specifically give access for
logs/ - log files
tmp/ - temporary files (like PHP sessions)

I actually have a setup of some sorts working with just the Web files, but it's a fairly nasty hack involving a SUID C program I wrote plus copying a lot of library files into /usr/lib under the home folder. Anyways, a few questions:

1. Would any of you recommend such a setup? Is this "too secure?"

2. Would turning on PHP's safe_mode on top of this be too excessive?

My main motivation for doing this is to reduce the impact of hacking from insecure CGI scripts, if that matters. I also realize I would be unable to use any sort of control panel--this is for my own development system and not for any hosting clients.

Thanks in advance! chrooting CGI/PHP

 

 

 

 

Top