Sometimes you want to set up multiple virtual hosts to run PHP code under different users. One way to do that is suPHP. Unfortunately this is rather slow because it runs PHP in standard CGI mode and needs to spawn a new process for each request. A faster way to invoke PHP is to use FastCGI which will reuse spawned PHP processes. To make those processes run under different users for different virtual hosts (vhosts) you can use SuExec.

The following will give a quick overview ho to do that. I assume certain knowledge of configuring Apache and setting up virtual hosts. I will only describe the things needed for the special FastCGI/SuExec setup here.

Let's start with installing the needed packages from the current etch distribution:

#> apt-get install apache2 libapache2-mod-fcgid php5-cgi

Now we can create our virtual host entries as usual. Here is an example to start with:

<virtualhost *>
  ServerName    www.example.com
  DocumentRoot /www/example.com
  # some settings for fastCGI
  PHP_Fix_Pathinfo_Enable 1
  MaxRequestsPerProcess 500

  SuexecUserGroup example example
  <directory /www/example.com/htdocs/>
    AddHandler fcgid-script .php
    Options +ExecCGI
    FCGIWrapper /var/www/fastcgi-example/php5-cgi .php
  </directory>
</virtualhost>

Okay, the first two lines are the usual vhost setup. What follows are two options recommended for running PHP in FastCGI mode. The first one makes sure the $_SERVER['PATH_INFO'] environment is setup correctly for your scripts. The second lets each FastCGI process die after having handled 500 requests. This ensures no possible memory leak will tear down your server.

The next line sets up the suexec mechanism and tells it to execute CGIs as user example and group example. This will be the user your PHP processes for this vhost will run under.

The last step is to bind the .php file extension to the FastCGI module and to tell it how to start the FastCGI process. This last line is the special trick. In a normal FastCGI setup (without suexec) you would point it to your PHP binary. In our case this is a small wrapper script.

Why a wrapper script? Because there is a security restriction in suexec: it will only execute scripts below the document root compiled into the Apache binary. In Debian this is /var/www/. So we need to have our PHP binary below /var/www/. SuExec won't accept symlinks. A hardlink would work, but there is another catch. The executable needs to be owned by the user and group we defined earlier in the SuexecUserGroup line. But we want different users for our different vhosts which wouldn't work with hard links. So we use a wrapper script with the following content:

#!/bin/sh
exec /usr/bin/php5-cgi "$@"

You see, it simply replaces the running shell process with the correct PHP5 call.

The script needs to be owned by the correct user and group and has to have execution permissions and there is another restriction: it needs to be inside a directory owned by the same user which is not writable by anyone else.

So in our example case we have /var/www/fastcgi-example owned by example:example and permissions 755 and /var/www/fastcgi-example ownd by example:example and permissions 755 as well.

That's it - start up apache and have your vhosts run under different users