suPHP + Userdir on Ubuntu

Recently I’ve had the need to combine suPHP with the userdir mod for Apache on Ubuntu. By default they don’t play nice together. So here is a quick guide on how to get it working.

If you have installed a standard LAMP server (there are many guides on how to do this), you now need to install the suphp package for apache, this is called libapache2-mod-suphp:

$ sudo apt-get install libapache2-mod-suphp

Once that has been installed open the file /etc/suphp/suphp.conf in your favourite text editor. Find the line that has the docroot on, and change the docroot so that it is just “/”. This means that the suphp engine will parse anywhere in the file system, and not just in the standard html directory, thus allowing users to have their own.

docroot=/

You may also want to change the security options as appropriate, just change the “false” to “true” of the applicable ones the enable them. This is worth experimenting with. Further down you will want to set the “check_vhost_docroot” is set to false, this again is to do with the fact that userdirs are not in the vhost’s document root.

check_vhost_docroot=false

Finally you have the min_uid and min_gid properties. These are worth altering if you still want to be able to have a website running as www-data (such as the default website). If this is the case, change them both to the uid and gid of www-data (33 by default). It is not recommended to allow suphp to run as root, so do not set it to 0.

min_uid=33
min_gid=33

Finally, you need to enable the mods suphp and userdir, and disable the mod php5, this is done with two commands, and then restart apache2:

sudo a2dismod php5
sudo a2enmod userdir suphp
sudo /etc/init.d/apache2 restart

This should then allow you to run php scripts as the user who created them. To test this, create a new php file that contains:

<?php
system(id);

This will give you information of the user that the php process is running as. I recommend changing the ownership and retrying it, just make sure sure suphp is running as it should be.