Hi,
I've encountered a security problem when I configure my suphp...

In my vhost config I've entered "suPHP_ConfigPath" to specify a php.ini files that contains the open_basedir directive to protect every my webuser from hacking, but I see that is possible to change suPHP_ConfigPath in .htaccess file.. I can't disable AllowOverride because my webusers want it to makes rewrites rule.
With .htaccess users could change php.ini and so also open_basedir directive!

How can I disable the possibilities to change suphp variables in htaccess?

You can change the line:


AllowOverride All

into

AllowOverride None

Within your /etc/apache2/apache2.conf file

But that means that .htaccess files will not allowed at all on your server!
Lot's of hostingproviders do not accept .htaccess files for security reasons.

I've say that i can't disable .htaccess because my users want make rewrite rules!!

I think i've an interesting article for you.
It might help you.
Here it is:

http://www.xmission.com/help/publishing/misc/suphp_htaccess.html

Nono... this article explain that is possible override php settings of suphp with .htaccess, I would that suphp will not override with htaccess... but I would mantain htaccess... But I think that I could disable htaccess and find other solution to allow the rewrite rule...

Now, I have an other question.
I see that suphp allow chrooting... How I can enable chrooting, there are tutorials to make it? How works chrooting fo suphp?? Thank you very much for your help!

Hi,
Please, read here what Till has to say here:
http://www.howtoforge.com/forums/showthread.php?t=11242&highlight=chroot+ispconfig

If you're using Debian+ISPConfig, i think you can enable chrooting within the file /home/admispconfig/ispconfig/config.inc.php, but i did NOT test it yet!

article that you have linked is for chroot ssh shell account to system... I see that suPHP has an option in his suphp.conf that enable chroot of suphp but I don't find any documentation regarding it... anyone could explain me how it work and how is possible to configure it?