I'm setting up a server that will host many web sites on my Debian Sarge machine. Each site will be administered by a different user. Each site will give users SFTP access, access to the cgi-bin, and to PHP (with mod_php installed). I'm not very worried about my users doing anything malicious. However, if a hacker ever obtained a password from one of my users, they'd essentially have free reign on my server to run any kind of perl/php script they wanted.
So assuming a hacker did get access to a user's web space, what can I do to limit the damage? I'm having trouble tracking down a document that will give me a good overview some basic precautions. Here's some specific questions: Must I abandon mod_php? Is fastcgi the way to go? If permissions on my files are set properly, is it really necessary to chroot apache? What's this v-host (virtual host?) someone mentioned to me? Is this like giving each user their own chrooted apache server environment? I use webmin to help create sites quickly and easily. Must I abandon it?
