I am setting up a web server that will host a number of different web sites as Apache VirtualHosts, each of these will have the possibility to run scripts (primarily PHP, possiblu others).
My question is how I isolate each of these VirtualHosts from eachother and from the rest of the system? I don't want e.g. website X to read the configuration of website Y or any of the server's "private" files.
At the moment I have set up the VirtualHosts with FastCGI, PHP and SUExec as described here (http://x10hosting.com/forums/vps-tutorials/148894-debian-apache-2-2-fastcgi-php-5-suexec-easy-way.html), but the SUExec only prevents users from editing/executing files other than their own - the users can still read sensitive information such as config files.
I have thought about removing the UNIX global read permission for all files on the server, as this would fix the above problem, but I'm not sure if I can safely do this without disrupting the server function.
I also looked into using chroot, but it seems that this can only be done on a per-server basis, and not on a per-virtual-host basis.
I'm looking for any suggestions that will isolate my VirtualHosts from the rest of the system.
PS I'm running Ubuntu 12.04 server
My ANSWER: I ended with almost following my current configuration, but doing a chroot jail for all the virtual hosts, e.g. having the chroot jail in /var/www
and then have all the users' data in subfolders each with group/others r/w/x permissions disabled. This option was desirable especially because it is all possible without any modifications to source code.
I selected @Chris' answer, because it was thoroughly written and also considered FTP and SELinux