Preventing apache compromise from accessing all sites

[gossamer]

I have apache and php-fpm configured on fedora35 and hosting about a dozen joomla websites. My concern is that, should one site compromise result in a shell in the document root as the site owner, they would then have access to other sites on the same server, running under the same apache.

Can this be prevented?

I've set separate php-fpm users and owners of the content for each site, but apache has to be in each group, or itself wouldn't be able to access them.

Can apache and php-fpm be configured to segment access for each domain to only the owner, without allowing access to other domains as part of being in the "apache" group?

Also, once they compromise the domain and obtain a shell as the apache user or site owner, they would then also have access to the site database, if not the database for all of the sites, just by viewing the configuration.php file.

[Kailash]

Yes, it can access other websites and data using PHP shell code. When you are hosting different website, it is recommended to use the operating system like CloudLinux with CageFS to restrict it. Unless you have such type of restriction, it is possible to access any data and even critical system files like passwd etc.

- Kailash