On servers doing shared web hosting, or sharing the PHP environment between different PHP applications, I usually implement a security policy that uses PHP open_basedir to restrict each user to his/her own directory (along with other PHP directives like disable_functions for example). I also see quite a lot of posts here on SF discussing the benefits of using this feature.
However, now I stumble on this notice in the Debian package file README.Debian.security stating explicitly that they don't provide security support for (amongst others):
* Vulnerabilities involving any kind of open_basedir violation, as this feature is not considered a security model either by us or by PHP upstream.So I wonder, does this statement is just there to waive any responsibility or does it have more fundamental reasons?
In particular, how would you go to secure a PHP server used by multiple different users without open_basedir and while trying not to raise the maintenance effort to high? Or would you just recommend to never do shared hosting as the PHP developers are stating in their security note?