The best option is to disable those functions if you can find a work-around. Another option may seem a little crazy, but this is what I've done with mod_fcgid + suEXEC:
1. Edit /etc/group so that "nobody" is in each web users's group. (Only web users!!) So:
useracct:x:537:useracct,nobody
2. Restart Apache
3. Modify permissions (for each account):
# cd /home/useracct/public_html/
# find . -type d -exec chmod 710 {} \;
# find . -type f -exec chmod 640 {} \;
# find . -type f -name "*.php" -exec chmod 600 {} \;
The above will set:
- read/write/traverse on all directories for the owner, and traverse only for the group (needed because "nobody" is in the group), but no rights for "everyone".
- read/write for all files for owner, read-only for group (so apache can serve image, html, css, etc), and no rights for "everyone"
- read/write for PHP files for owner, and absolutely no rights for anyone else. This makes it impossible for apache to ever read a php config script directly and expose your passwords.
As always, test this somewhere unimportant before doing it live. You'll also want to check the permissions within the users home directory and make sure the user's group doesn't have access to places it shouldn't.