check you error logs, or just skim the ones of all users, for phpScripts that keep running (easy way would be to check log sizes). This wont tell you difinativly, but you could probably narrow it down
Here is something I found, I looks like this project is dead, but not sure if there is something similar.
Basically the way the Suexec works, but instead of for CGI scritps its for apache. Apache will run a child process for a request as the user for a specific account specified in the Vhost.
Copy/Pasted from one of my old post in http://interworx.info/forums/showthread.php?t=262:
“Also, while on the subject of Suexec and running scripts as different users I found a module that was being developed that allowed you to have apache run child processes for each virtual host as a particular user which would allow PHP (or any other script) to run as a particular user instead of the Apache user set in the main apache config file. (http://httpd.apache.org/docs-2.0/mod/perchild.html)”
"This module is not functional. Development of this module is not complete and is not currently active. Do not use perchild unless you are a programmer willing to help fix it. "
Do you know of any other similar projects to this?
It seems as though this one is dead an no one is working on it. I dont know how these things usually go Is it possible someone will pick it up in the future? I wonder why it isn’t moving futher along, I see this as a huge breakthrough for a shared hosting environment to see who is doing what on the server and as you said for security.
On the security note…
Something I figured out by mistake (not going into details). It is very easy to write a PHP script to browse other users directory on a shared server. Even easier on a server where you know the directory structure of the user accounts (ie. iworx or similar). And if you dont generate any PHP script error messages it is almost impossible to trace it back to a particular account since PHP runs as a “nobody” or “apache” or something.
One easy way to stop the above (at least the way I figured out) is adding a
php_admin_value open_basedir line to the vhost. So that the user only has writes to certain directories. You just have to remember to include all directories that account might need.
open basedir has been buggy in the past and I’m not sure if it’s 100% fixed in 4.3.9 or not. We’ve had a bunch of shared boxes using it and found that often even though our settings are per-vhost, the open_basedir setting would be set to the last vhost in the bunch for all vhosts.
Regarding per-child MPM I’m not sure, it’d be nice to see someone get it at least working with some stability initially, at least so it performs the simplest functions that it was designed to.