I don't know much about this stuff so here it goes. I'm on a shared host running a UNIX OS and Apache as the webserver software. PHP is running as a CGI which makes me think that they're running something like suEXEC but I really don't know how to tell. How do I tell whether or not they're running suEXEC? (I know that I could probably ask them, but dealing with tech support is the last thing I want to do).

Which user does Apache run under? I've seen stuff about Apache running as "nobody", which doesn't seem to be the case for me, as is shown through several of my observations:

According to phpinfo(), safe mode is set to off.

When I set a PHP script's permissions to rw- --- ---, I can still run it through my web browser.

I can establish a connection to a mysql database in a PHP file with the aforementioned permissions (as in, mysql_connect returns true).

Using a simple PHP script (stolen from Chris Shiflett's Shared Host Security article [shiflett.org...] ), I could browse much of the file system, but I got a permission denied error whenever I tried to visit another user's files.

These facts lead me to believe that Apache can not be running as "nobody", because if it were, my scripts would not be able to run. And it doesn't look like any other users on the server would be able to use PHP to peek into my files, but is this necessarily the case for other languages? What if they're just running suPHP and everything else is running wild? Basically I need to know how to find out about the server's configuration, but am clueless as to how. Judging from my experience with tech support, it might be difficult to get a hold of someone who can help me out:

Me: Hi John, I'd like to know whether or not your UNIX servers are running something like suEXEC. I noticed that using a PHP script, I couldn't browse the filesystem (which makes me feel a lot better as to the security of my files). But I'm not sure about other languages.
John V: We support .php4 and 5 versions and MySql database on our servers.
Me: That's great John, but do you know whether or not you're running suEXEC
John V: I am sure, we do not support suEXEC
Me: Okay, but then how am I not able to browse the file system if you're not running something similar to it. PHP isn't running in safe mode either, so basically, how are my files secured from the other users' scripts?
Me: The other users on the server, that is.
John V: The file extension of the .php should .php4 or 5
John V: Then only the changes will take place.

<snip>

[edited by: trillianjedi at 8:00 pm (utc) on June 29, 2007]
[edit reason] No hosting specifics please, as per our TOS. Thanks. [/edit]