I would also say don't run ghostscript with the same permissions as the web server, especially not if you can just hand it your PDF through stdin and take a PNG through stdout. Sandbox it as much as possible. PDF is a really complex format which means lots of opportunities for buffer overruns and the like. (Edit: Actually, reading through Arch-TK's post above, it sounds like it was much dummer than something like a buffer overrun.)