Sadly, if /public_html/2ndsite gets "hacked", you'll be out of luck with /public_html/1stsite ... as your entire server is likely to be compromised. No easy way around it.

If you have open_basedir turned on a compromise in a user account directory will not allow access to the entire server.

[us2.php.net...]

Although that is a true statement it seems the OP is stating that the open_basedir would be the same for both accounts, separated only by some form of internal directory restructuring.

To clarify, a little (from php.ini):

; open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file.
;
open_basedir = /public_html

would allow scripts to be executed in

public_html

and below ... including both

1stsite

and

2ndsite

.

open_basedir = /public_html/2ndsite

would restrict script execution to that one site, only ... but would not prevent a script in

2ndsite

from reaching up into

../1stsite

.

<edit>
How about using virtual settings to obscure the paths from/to each site? That way they wouldn't need to be under the same

public_html

directory, and it would be a little more tricky for a

2ndsite

attacker to get into

1stsite

. i.e.

example1.com = /var/1stsite
example2.com = /var/www/public_html/2ndsite

</edit>

[edited by: StupidScript at 7:31 pm (utc) on Jan. 31, 2007]