All our recent webservers run apache with suPHP. It's there for all sites set up since June 2010, but maybe not for older sites..

suPHP runs CGIs and PHP pages as their own user - ie. not www-data.

Here's what a site needs to do to work under suphp:

• NO files or directories have 777 permissions. This will cause a 500 server error
• files and directories should be owned by the user. (Anything sent or created with FTP is.)
• File permissions should usually be 644, and directories 755. Nothing else is needed.

• NO phpflag or phpvalue entries in .htaccess. This will cause a 500 server error
• PHP config changes should go into the site's logs/php.ini. This file is effective for the whole vhost - you don't have to put one into every directory. If there is no php.ini, you get the system defaults. Note though, if you only set a few variables in php.ini, the others are NOT at the system defaults, but at the PHP defaults.

Explanation of suphp below stolen from jaguarpc's writeups on phpsuexec and suphp

1) php scripts execute using the permissions of userid of the account holder instead of user “www-data”

2) world writable folders (chmod 777) is not required for file uploads through php. In fact you MUST NOT chmod 777 - it will cause “500 Internal Server Error”. A folder for uploads shouldn't need more than 700 or maybe 755.

3) The php file need to have ownership of the user to execute in the user account (by default it is).

4) php file (script) does not need 755 permissions. 644 is fine. In fact 400 or 600 is ok too (especially good for sensitive information).

6) The php flags that do not work in .htaccess can be moved to php.ini file in the same folder where php script exists. However, the php flag/value will be in the format of php.ini and not that of .htaccess. For example this from .htaccess

php_flag register_globals off would go into php.ini as register_globals off

8) Apache specific php functions do not work: http://www.php.net/manual/en/ref.apache.php

9) If your .htaccess file contains “Options” directive, it should have + or - with the directive to keep the ExecCGI active.

11) Some web applications (OS commerce, ZenCart etc.) check if its configure.php file is writable (since php is being executed with userid it should be), so it will complain that its writable. Please change the permissions to 444 via ssh. (chmod 444 /path/to/configure.php)

13) If you use “AddType application/x-httpd-php” in .htaccess, it should be set to “AddHandler application/x-httpd-php”

Similarly if you are using ForceType in .htaccess to force a file to be treated as php, you will need to change it to SetHandler.