AboutOpenSource Webserver, http://httpd.apache.org
Securitydevik[at]cdi.cz  tells us about Apache 1.3.20: Typical problem when using PHP is security. Here in Czech at least half of sites is cracked using PHP bugs. PHP's safe-mode solves it a bit but it can't be treated as correct solution.
Apache 2 has MPM module which allows to set User per VirtualHost?. Unfortunately Apache 2 is in beta phase now. Here I present quick hack for 1.3.20 (and other) which allows you to do the same. Only disadvantage is speed. I use seteuid in forked child to switch to httpd user but real UID is still root. Later when request comes in I determine value of User/Group directives attached to it, regain root and use setuid to become given user permanently. It also means that child can't be used anymore for other connections which could require another user. I solve it by forcing the child to die when connection is closed. There is a possibility to reuse children with the same UID but it require larger changes to the Apache source and I have too many other projects. Here is patch against 1.3.20. I'd appreciate comments on it and test results. It work well here. Use User directive in VirtualHost? and you are done.