After some effort I managed to set up a good config for Apache on an Ubuntu 8.04 machine: each vhost had its own user and group and by using mod_fcgi with mod_suexec, each one had only access to its directories, so no site was able to write on (or read from) another site's files.

Everything went alright.

Now, I need to install a PECL extension: APC, which doesn't work well under fcgi, so I have to disable both fcgi and suexec, and use the regular mod_php instead. In this scenario every domain runs under the default apache www-data user account.

I can set that up to work correctly by "chowning" directories in every domain to that user and group, but that way my desired file security pattern goes away.

Some idea on how could I setup both filesystem permissions and Apache so I have an approach the closest possible to the one I had with fcgi and suexec?

Thanks in advance.