I've found that most clients don't need or expect to login to a web server. The handful of people that do can be given their own dedicated server to use or something like that. For the rest, just give each domain name/user their own httpd instance running with its own config, its own unix user, and its own IP address. Or give each domain two users-one user to own the file system and a separate one that is selectively given permission to write within that filesystem. Run httpd chrooted, and you can use any module you want without sharing write permissions between unix users (shared webhosting evil). Give all the users chrooted access to their own web root files through ftp or sftp. I've never tried to chroot sftp, or at least there is no obvious way to do it to me. But, since no unix user needs access to another's directory tree, it's pretty easy to lock people out of places they don't need to be.
You need to give SSL users their own IP address anyways, and this technique makes it easier to ensure security on a shared server. It is a bit more resource intensive since each virtual host has several apache processes running, but apache will scale down the number of processes when hits are low and modern hardware is fast and big enough that this becomes a decent compromise for resource usage (versus multiple virtualized OS servers or whatever.) For email it is nice to keep the users in an sql or ldap database, use one of a million web/database mangement tools for it, and point your software to use it. I like postfix and dovecot but i am not overjoyed with any of the mediocre web tools for managing the virtual users and whatever else. A well thought out database driven system can be fairly easy to scale as disk or cpu load increases by using multiple data stores, pop/imap proxies and multiple front end spam processors. There are lots of examples of these sorts of designs available through google so I won't bore you anymore. Also if you have the right kind of user popluation, a significant percentage expect MS Frontpage support. These are always the same peopel who don't ever ask for shell access. MS Frontpage is fairly easy to do with some mod_rewrite rules and a custom CGI that calls the MS cgi (i386 bsdos executable). There are almost certainly buffer overflows in the MS cgi. So if you are running a chrooted per-user apache installation, you can theoretically limit potential damage to the user. suexec would be the only privileged binary in the chroot (and not necessary if the apache user has write permission where expected). Chris
