If I have PHP with Suhosin running as CGI under Apache SuExec, is open_basedir necessary? I've heard it's good to have in a shared hosting environment where the sites are outside of your direct control, but what if the sites are all my own?
SnapOverflow
I'd suggest that you always want to go with the most restrictive permissions possible. SuExec and Suhosin are a good start, but many files are readable by 'other' (e.g. some logs, possibly your other web files, etc) and some locations (e.g. /tmp) are writeable by all. Furthermore, SuExec is not immune to vulnerabilities - additional precautions are always beneficial.
Consider it from this perspective - even though it is your code that you are running, the possibility of vulnerabilities still exists. If your code is compromised and someone is able to execute other code, you want whatever safeguards possible in place. Each additional safeguard you have in place will help to limit the damage that can be done on a compromised system.
Ideally, each of your sites would be setup in a chroot jail (better performance and security) - however, that tends to be a lot of work to setup and maintain. Using open_basedir is an easy to setup alternative (although, not immune to exploits), which typically has little impact on the functioning of most sites. There has been at least one case where it has been helpful even with SuExec.
open_basedir does have a performance penalty - but if that is a major concern, it may be best to benchmark the performance of your site with and without it, and see if the difference is significant (in which case, you may consider the chroot approach, if your system allows it).
Always expect the worst, even though you may hope for the best.