I'm looking to secure some websites running under apache using suexec. At the moment php is executed with the user/group of the file being executed. This seems to me, not secure enough. It stops vhosts interfering with each other, but does not stop malicious code writing anywhere in the vhost being used.

I was thinking that a possibility would be to run scripts as nobody/vhost group, that way the vhost user could still have full access to the vhost directories, but executing php would only be able to write to files with g+w, and to execute files with g+x. This I think should stop arbitrary writing in the web dir from compromised php.

Just wondering if this is crazy, ridiculous, stupid?

Of course this would be done on top of existing security measures.