Ok, until now nobody gave my a short, clean and reasonable secure default PHP configuration, here is my home-brewn version. Keep in mind that I'm not a PHP freak, so perhaps I totally misunderstood some directives. Feel free to fix.

php/php.ini

@@ -0,0 +1,15 @@
+;;
+;;  php.ini -- PHP Configuration
+;;
+
+[PHP]
+register_globals   = off    ; Global variables are no longer registered for input data
+safe_mode          = on     ; Enable Safe Mode (file UID comparisons)
+safe_mode_gid      = off    ; Whether to relax Safe Mode to file GID comparisons
+display_errors     = off    ; Errors will NOT be displayed
+log_errors         = on     ; Errors will be logged
+max_execution_time = 60     ; Maximum execution time of each script, in seconds
+max_input_time     = 60     ; Maximum amount of time each script may spend parsing request data
+memory_limit       = 8M     ; Maximum amount of memory a script may consume
+post_max_size      = 8M     ; Maximum amount of POST data accepted
+

php/php.spec

@@ -38,7 +38,7 @@ Class:        BASE
 Group:        Language
 License:      PHP
 Version:      %{V_php}
-Release:      20040725
+Release:      20040825
 
 #   package options
 %option       with_bc                   no
@@ -102,6 +102,7 @@ Release:      20040725
 
 #   list of sources
 Source0:      http://static.php.net/www.php.net/distributions/php-%{V_php}.tar.gz
+Source1:      php.ini
 Patch0:       http://www.hardened-php.net/hardened-php-%{V_php}-%{V_php_hardened}.patch.gz
 Patch1:       php.patch
 
@@ -479,8 +480,8 @@ AutoReqProv:  no
     #   install default configuration file
     %{l_shtool} mkdir -f -p -m 755 \
         $RPM_BUILD_ROOT%{l_prefix}/etc/php
-    %{l_shtool} install -c -m 644 /dev/null \
-        $RPM_BUILD_ROOT%{l_prefix}/etc/php/php.ini
+    %{l_shtool} install -c -m 644 \
+        %{SOURCE php.ini} $RPM_BUILD_ROOT%{l_prefix}/etc/php/
 
     #   strip down installation
     strip $RPM_BUILD_ROOT%{l_prefix}/bin/* >/dev/null 2>&1 || true