I'm setting up web sites for a few different clients and I want to ensure security in terms of cross-site snooping via perl/php scripts run by the server. I've got this setup on a preexisting server by having multiple instances of apache, each running under a different user ID listening to different IP addrs.

However, it seems things have changed and the latest apache config files don't seem particularly designed to do this, mainly because instead of the /etc/init.d/apache start script starting apache directly, it goes through /usr/sbin/apache2ctl which seems to be not designed to handle more than one instance of apache.

A net search on the subject seems to turn up minimal info.

This makes me think that perhaps the security I'm looking for can now be bestowed in some other way. I confident I could hack a solution but I'd prefer not to. I've seen mention of suPHP and mod_security to aid in this type of task, though I'm not clear on how I would use these.

Can anyone give some helpful pointers? Thank you.

Personally, I use the ITK MPM for Apache to achieve this. It lets each vhost run with a separate user ID. http://mpm-itk.sesse.net/

There is some overhead associated with this (an extra fork per request, compared to prefork MPM), but I don't host any high-volume sites so it doesn't bother me any. YMMV.

There is also the theoretical possibility that if there were a security vulnerability early enough in Apache's processing, it could cause a root security compromise. However I have not heard of anything of the sort since I've been using this MPM, so personally I trust it.

I'm sure there are many other solutions to this problem that others can chime in on, but this is the one I've grown most comfortable with.

That looks good. Thank you!