I’m pretty new at this. So I figured out that apache2 starts processes as www-data user. Suppose this user then starts untrusted code. What if I wanted to disallow this user to read any files (like /etc/fstab for example). How would I go about this? Ubuntu 11.04 by the way.
Are there secrets in /etc/fstab you don’t want users reading?
In general, you’d remove r access for others on the files, but fstab contain no secrets so you just likely to break things.
Specifically with Apache, you probably have the option to run it in a chroot, so it can’t read outside of /var/www or where ever your httpd lives.
Check more discussion of this question.