Ok, until now nobody gave my a short, clean and reasonable secure default PHP configuration, here is my home-brewn version. Keep in mind that I'm not a PHP freak, so perhaps I totally misunderstood some directives. Feel free to fix.

apache/apache.spec

@@ -66,7 +66,7 @@ Class:        BASE
 Group:        Web
 License:      ASF
 Version:      %{V_apache}
-Release:      20040813
+Release:      20040825
 
 #   package options (suexec related)
 %option       with_suexec               yes
@@ -208,6 +208,7 @@ Source23:     apache.vhost
 Source24:     apache.pl
 Source25:     rc.apache
 Source26:     apache.sh
+Source27:     php.ini
 Patch0:       apache.patch
 Patch1:       apache.patch.modowa
 Patch2:       apache.patch.php
@@ -1208,8 +1209,8 @@ AutoReqProv:  no
 
     #   optionally make PHP happy
 %if "%{with_mod_php}" == "yes"
-    %{l_shtool} install -c -m 644 /dev/null \
-        $RPM_BUILD_ROOT%{l_prefix}/etc/apache/php.ini
+    %{l_shtool} install -c -m 644 \
+        %{SOURCE php.ini} $RPM_BUILD_ROOT%{l_prefix}/etc/apache/php.ini
     rm -rf $RPM_BUILD_ROOT%{l_prefix}/include/php
     rm -rf $RPM_BUILD_ROOT%{l_prefix}/lib/php/build
     rmdir $RPM_BUILD_ROOT%{l_prefix}/lib/php >/dev/null 2>&1 || true

apache/php.ini

@@ -0,0 +1,15 @@
+;;
+;;  php.ini -- PHP Configuration
+;;
+
+[PHP]
+register_globals   = off    ; Global variables are no longer registered for input data
+safe_mode          = on     ; Enable Safe Mode (file UID comparisons)
+safe_mode_gid      = off    ; Whether to relax Safe Mode to file GID comparisons
+display_errors     = off    ; Errors will NOT be displayed
+log_errors         = on     ; Errors will be logged
+max_execution_time = 60     ; Maximum execution time of each script, in seconds
+max_input_time     = 60     ; Maximum amount of time each script may spend parsing request data
+memory_limit       = 8M     ; Maximum amount of memory a script may consume
+post_max_size      = 8M     ; Maximum amount of POST data accepted
+