Goal: user separation (but apache can't read what suPHP wrote)

[berny]

Goal: user separation
My goal is to achieve user separation such that no user can read files from a different web or vhost, neither through ftp or a shell account. At the same time Apache needs to be able to server all the content it should serve. So ideally all files should be readable by the file-owner only (0400 or 0600).

Means: suPHP?
I tried to achieve this through the use of suPHP. I have suPHP configured to run any php-scripts with the user and group it belongs to. suPHP can execute all 0700 files and read and write all 0600 files. Up to here everything is going just as I expect it to.

Problem: apache2 can't read files
The problem begins when apache2 comes into play. It can not read any file that is not world-readable. Apache still seems to use it's default UID www-data and it's default GID www-data. Thus it can not read any files that are 0600 or 0640.

Can apache2 assume a different UID per Vhost?
I searched the apache2 website and the web and did not find any way to tell apache to take on a specific UID for a given Vhost. Is there a way to do this?

Help!
Is there anything I can do to achieve my goal? Maybe I'm trying to achieve the goal of user-separation the wrong way? What is the standard and/or smart way to do this?

My configuration:

apache2

Code:

zwei:~# apache2 -V
Server version: Apache/2.2.3
Server built:   Jan 27 2008 18:13:21
Server's Module Magic Number: 20051115:3
Server loaded:  APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture:   32-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT=""
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
 -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf"

Code:

zwei:~# cat /etc/apache2/httpd.conf 
LoadModule suphp_module       /usr/lib/apache2/modules/mod_suphp.so

suPHP

Code:

zwei:~# suphp -V
suPHP version 0.6.2

Code:

zwei:~# cat /etc/suphp.conf 
[global]
;Path to logfile
logfile=/var/log/suphp.log

;Loglevel
loglevel=info

;User Apache is running as
webserver_user=www-data

;Path all scripts have to be in
docroot=/

;Path to chroot() to before executing script
;chroot=/mychroot

; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false

;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

;Send minor error messages to browser
errors_to_browser=false

;PATH environment variable
env_path=/bin:/usr/bin

;Umask to set, specify in octal notation
umask=0077

; Minimum UID
min_uid=100

; Minimum GID
min_gid=100

[handlers]
;Handler for php-scripts
x-httpd-php=php:/home/admispconfig/ispconfig/tools/suphp/usr/bin/php-wrapper

;Handler for CGI-scripts
x-suphp-cgi=execute:!self

Vhosts_ispconfig.conf
zwei:~# cat /etc/apache2/vhosts/Vhosts_ispconfig.conf

Code:

[...]

#
#
######################################
# Vhost: www.domain.de:80
######################################
#
#
<VirtualHost 213.133.108.249:80>
SuexecUserGroup ardan web55
ServerName www.domain.de:80
ServerAdmin webmaster@domain.de
DocumentRoot /var/www/web55/web
ServerAlias ardan-heerkens.de
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
Alias  /cgi-bin/ /var/www/web55/cgi-bin/
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
ErrorLog /var/www/web55/log/error.log
AddType application/x-httpd-php .php .php3 .php4 .php5
<Directory /var/www/web55/web>
  suPHP_Engine on
  suPHP_UserGroup ardan web55
  AddHandler x-httpd-php .php .php3 .php4 .php5
  suPHP_AddHandler x-httpd-php
  SetEnv php_safe_mode On
</Directory>
Alias /error/ "/var/www/web55/web/error/"
ErrorDocument 400 /error/invalidSyntax.html
ErrorDocument 401 /error/authorizationRequired.html
ErrorDocument 403 /error/forbidden.html
ErrorDocument 404 /error/fileNotFound.html
ErrorDocument 405 /error/methodNotAllowed.html
ErrorDocument 500 /error/internalServerError.html
ErrorDocument 503 /error/overloaded.html
AliasMatch ^/~([^/]+)(/(.*))? /var/www/web55/user/$1/web/$3
AliasMatch ^/users/([^/]+)(/(.*))? /var/www/web55/user/$1/web/$3
</VirtualHost>