making pages read-only by apache calling user

I understand why dream host has web request execute as the owning user; however, it's making it hard to secure my website. Maybe there's something someone can suggest to help me out? Please read on.

I'm coming from a co-lo I used to own, so I'm used to having the user executing my web requests being the apache user ("apache"). Since this was the case, it was easy to secure sites from modification -- just make the sites world readable only -- the apache user could not possibly modify anything -- just read.

Now that my shell user is the executing user, I cannot truly secure a site. I use drupal and if the calling user can run code, they can do anything (within my directory tree of course). Is there any way of preventing write access to the running user? (I could chmod it 0444, but the executing user is still the file owner so it could chmod it back before writing... or delete the file altogether)

I tried creating another user (user "B") and having that user be the executing user. I then created a symlink from the root directory of the site (in user "B"s directory tree) to the real directory containing the files in the primary user's home directory. This should work -- user "B" can read the files (i.e. cat them), but apache reports a 403 error when trying to execute the index.php file.

Anyone have any ideas?

Anyone w/ any ideas on this one?

If you're on a shared server, you could send a request to Support asking them to change ownership of files you wish to be locked down to "apache" rather than the local suexec user. Keep in mind of course you won't be able to move or edit them from that point on unless you get Support to change ownership back again.

Well, that would work, sure; but at least one of my users needs write permission on these files because I regularly update my drupal install.

FWIW, I use a set of neato scripts I wrote to maintain my stable of Drupal sites using a CVS install.

See http://svn.toddgee.com/drupalScripts/ - works really well.

You could ask Support if they're able to include the use of access control lists, but you'd likely need to go PS for that anyway.

I've not heard of any shared environs with ACL's incorporated.

I found a way to do this. If anyone is interested, please see the contact form at toddgee.com (may not be there for a while)