Multiple VHosts with FastCGI and Suexec

I have a Debian virtual machine server which I have full control over, but I have someone who wants to host a single domain on it. This is obviously a security concern, as even if his particular user cannot read all of the other domain’s files, any script he runs (PHP) on the webserver can. To illustrate:

% ls -l /srv
drwxr-x--x 5 admin    admin    4096 Mar  4 13:29 secretsite.com
drwxr-x--x 4 bob      bob      4096 Apr  4 12:41 mycoolsite.co.uk
$ su - bob
$ ls /srv/
ls: cannot open directory /srv/: Permission denied
$ ls -R /srv/mycoolsite.co.uk/
/srv/mycoolsite.co.uk:
public

/srv/mycoolsite.co.uk/public:
htdocs

/srv/mycoolsite.co.uk/public/htdocs:
index.php

However:

$ cat /srv/mycoolsite.co.uk/public/htdocs

<?php
echo shell_exec('whoami');

echo shell_exec('ls /srv');
?>

Which outputs in a browser: www-data secretsite.com mycoolsite.co.uk… not very desirable.

So I decided to use FastCGI and Suexec to make sure bob’s PHP files were executed as him. I was mostly following the instructions given here, but I already have a mass-hosting Apache configuration all set up.

In sites-enabled I have this configuration file called zz-mass-hosting:

NameVirtualHost my.ip.address:80

<VirtualHost my.ip.address:80>
    <Directory "/srv">
        AllowOverride all
    </Directory>

    AddHandler cgi-script .cgi
    UseCanonicalName        Off

    VirtualDocumentRoot     /srv/%0/public/htdocs/
    VirtualScriptAlias      /srv/%0/public/cgi-bin/

    SetVirtualDocumentRoot on


</VirtualHost>

Which works great.

So, for setting up this domain, mycoolsite.co.uk, specifically I installed through apt: libapache2-mod-fcgid apache2-suexec-custom php5-cgi

I modified /etc/apache2/suexec/www-data to read: /srv. With no second line. And created /etc/apache2/conf.d/php5-fastcgid.conf:

AddType application/x-httpd-php .php

AddHandler php-fcgi .php
Action php-fcgi /fcgi-bin/php5-fcgi

Alias /fcgi-bin/ /home/www-data/

<Location /fcgi-bin/>
        SetHandler fcgid-script
        Options +ExecCGI
</Location>

/home/www-data/php5-fcgi is:

#!/bin/sh
exec /usr/bin/php5-cgi

with ownership www-data:www-data. I created /home/www-data/bob with ownership bob:bob and copied php5-fcgi there.

I then created zzz-mycoolsite.co.uk in sites-available:

<VirtualHost my.ip.address:80>

             ServerAdmin [email protected]
             ServerName mycoolsite.co.uk

             Alias /fcgi-bin/ /home/www-data/bob/
             SuexecUserGroup bob bob

             DocumentRoot /srv/mycoolsite.co.uk/public/htdocs/

             <Directory /srv/mycoolsite.co.uk/public/htdocs/>
                        Options Indexes FollowSymLinks
                        AllowOverride None
                        Order allow,deny
                        allow from all
             </Directory>

</VirtualHost>

But when I activate this site, and go to mycoolsite.co.uk/index.php it still says it is running as www-data. Can anyone see where I am going wrong?