Folder perms for specific PHP script.

Hmm, I didn't tested this, but you could use php-fpm to start a FastCGI socket and assign a specific uid and gid to it, read:

1. http://wiki.apache.org/httpd/PHP-FPM
2. http://php.net/manual/en/install.fpm.install.php
3. http://www.php.net/manual/en/install.fpm.configuration.php
4. http://www.howtoforge.com/using-php5-fpm-with-apache2-on-ubuntu-12.10

If you have linux ubuntu and PHP5 run:

sudo apt-get install php5-fpm libapache2-mod-fastcgi

then edit the php.ini related to fpm:

sudo nano /etc/php5/fpm/php.ini

And add a user and a group (previously created) specific for the FPM processes:

user string
group string

Change your scripts so they are owned by this new user and setup your virtual host to listen the FPM socket:

<VirtualHost *:80>
    ...
    <IfModule mod_fastcgi.c>
        AddHandler php5-fcgi .php
        Action php5-fcgi /php5-fcgi
        Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
        FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization
    </IfModule>
</VirtualHost>

So, at the end, the other virtual hosts will run the normal Server API: Apache 2.0 Handler and yours the FPM/FastCGI, you can check it with phpinfo(). Hope it helps, bye!

There is a flaw in my previous answer: if the other users are able to change their virtuahost, they can add the mod_fastcgi handler to their config file or to an .htaccess and override your scripts.

To fix this you could:

• install php5-fpm
• install Nginx
• host your website in Nginx
• make Nginx listen on a different port as 8000

So, you can use PHP-FastCGI through Nginx. Logically you have to remove mod_fastcgi and proxy_fcgi_module from Apache, so the users will not be able to add the handler or to redirect requests to FastCGI server.

To install Nginx run:

sudo apt-get install nginx

then create your virtual host:

sudo nano /etc/nginx/sites-available/my_server

and add a basic configuration:

server {
    listen 8000;
    server_name mywebsite.dev;

    access_log /var/log/nginx/mywebsite.access.log;
    root /var/www/mywebsite;

    location / {
            index index.php index.html index.htm;
    }

    location ~ \.php$ {
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/tmp/php.socket;
    }
}

Then save the file, enable it and reload the server:

sudo ln -s /etc/nginx/sites-available/mywebsite /etc/nginx/sites-enabled/mywebsite
sudo service nginx reload

Besides, I would run the users inside separated chroot environments, so they cannot access to your document root or each others, by simply changing theirs.

Question: .htaccess is not enough for your friends? You can do almost everything from there a part changing the DocumentRoot http://httpd.apache.org/docs/current/howto/htaccess.html

First, sorry for the late reaction. I'll have a look at this.
It will be enough for them to use a htaccess, but they have to be able to configure an x amount of websites (and make Apache redirect them to the right folder).
When this is running, I will disable shell access.

This is not really what I am looking for, each user has it's own Unix user (let's say "john"). John can log in to FTP and SSH using his Unix credentials.Now, his website has to be the same user he has (or a even better idea might me "john-httpd"). That way, I can add john-httpd to a group, and John can chgrp and chmod the group so that john-httpd can for example write to example.com/uploads, and John can still write everywhere he wants.

suPHP seems just exactly what I am looking for, however, I couldn't seem to compile it. I'll try again.

Oh my god, I spent 2 days figuring out suPHP, but then I discovered this: http://library.linode.com/web-servers/apache/php-cgi/debian-5-lenny
It is one simple Apache2 module you have to install and you're done.
I mirrored the page on pastebin, in case the website goes down: http://pastebin.com/tmHqHdke