I have php 5.3.0 with Apache 2 on Mac OS X, using Pureftpd as an ftp server with TLS. I am not currently offering SSH other than to myself.

I plan to host multiple clients sites on this server. This question is in regards to securing the system as a whole.

All files are uploaded as user/group pureftp. 644/755
I noticed that I could do things in php like file_get_contents(../../someone/elses/stuff/database.inc.php)

Is the correct way to solve that to use "open_basedir" in the Virtual Host for Apache?

Does "open_basedir" stop exec() from something like exec('cat ../../somefile.php'), if not, what is the suggested method to secure this?

I think the summary is I am looking for how to secure php in a shared hosting environment.

within httpd.conf I include a virtualhost conf file. Is it acceptable to next the Directory block inside the VirtualHost block. This seems more organized to me, and seems to work.

Any other suggestions? Perhaps there are ways to have Apache run and lock down all access to a certain directory. However, I know php needs access to /tmp and possibly other things, like curl being able to fully follow redirects.

How are large shared hosting places setting these systems up?
Thank you for any pointers.