On servers doing shared web hosting, or sharing the PHP environment between different PHP applications, I usually implement a security policy that uses PHP open_basedir to restrict each user to his/her own directory (along with other PHP directives like disable_functions for example). I also see quite a lot of posts here on SF discussing the benefits of using this feature.
However, now I stumble on this notice in the Debian package file README.Debian.security stating explicitly that they don't provide security support for (amongst others):
* Vulnerabilities involving any kind of open_basedir violation, as
this feature is not considered a security model either by us or by
PHP upstream.
So I wonder, does this statement is just there to waive any responsibility or does it have more fundamental reasons?
In particular, how would you go to secure a PHP server used by multiple different users without open_basedir and while trying not to raise the maintenance effort to high? Or would you just recommend to never do shared hosting as the PHP developers are stating in their security note?
Seems the reason for the disclaimer is that there are ways to break out of the open_basedir rule. I would still use it on a shared host but don't count on it as your only security. Also have each virtual host owned by a different user and run the apache process under that user account for the scripts on that host.
To your more general question though, I do think the age of shared hosting is almost over. Virtual host technology has advanced to the point that a shared host is almost useless.