I am setting up homefree right now
If I allow PHP, will there be a security hole?

dunno. guess you'll have to wait and find out :p

Because if a user create a simple file manager using PHP just like homefree, they can browse everything from the base directory '/' in the server

Then I disable PHP...

as long as the server administrator has put passwd into a shadow file, then there shouldn't be a cause for alarm. it doesn't really matter as long as your server administrator is a wary one.

Yes, that would be a very large security hole. homefree will make all files with owner nobody and group nobody, which is what apache runs as. You can, however, still allow the use of PHP if you configure it to use safe_mode as well as a few other options. Please read the security section of the PHP manual for more info.

Homefree is meant to serve as a basic free hosting program. Ideally it controls all files, all uploades, modifications and poermisions. Homefree is completely perl based and does nothing to alter the way apache, linux, windows,e tc.. works. Because it is os independant, altering it to allow executables, adding in ftp, etc... is COMPLETELY insecure.

Homefree creates files under the apache user (normally onobody). If you allow perl or php there is NOTHING to stop someone from running system(rm -rf /); and deleting every file that user nobody has access to.

To put it simply, don't allow php.

I see!
What about SSI? Server Side Includes... Is that ok?

SSI is not nearly as bad since it doesnt allow nealry as much scripting and power. However, ssi can easily open files, call scripts and much more and therefore it too hsould not be allowed.