I guess this worries me somewhat. I thought that running php outside the webserver process would prevent this from happening. On my production server I run Apache SuExec, however because I run PHP using mod_php SuExec has no effect and therefore I must set things like safe_mode and open_basedir.
Are you telling me that even if I run PHP as a FastCGI, CGI or LiteSpeed SAPI that I can't restrict from running system commands that would allow them to view content that other virtual hosts might be running???