diff --git a/src/infrastructure/setup/PhabricatorSetup.php b/src/infrastructure/setup/PhabricatorSetup.php
index 6398b2fa8e..e24a18a98c 100644
--- a/src/infrastructure/setup/PhabricatorSetup.php
+++ b/src/infrastructure/setup/PhabricatorSetup.php
@@ -147,19 +147,63 @@ class PhabricatorSetup {
       }
     }
 
-    list($err, $stdout, $stderr) = exec_manual(
-      '/usr/bin/env php -r %s',
-      'exit;');
+    list($err, $stdout, $stderr) = exec_manual('which php');
     if ($err) {
       self::writeFailure();
-      self::write("Unable to execute 'php' on the command line from the web ".
+      self::write("Unable to locate 'php' on the command line from the web ".
                   "server. Verify that 'php' is in the webserver's PATH.\n".
                   "   err: {$err}\n".
                   "stdout: {$stdout}\n".
                   "stderr: {$stderr}\n");
       return;
+    } else {
+      self::write(" okay  PHP binary found on the command line.\n");
+      $php_bin = trim($stdout);
+    }
+
+    // NOTE: In cPanel + suphp installs, 'php' may be the PHP CGI SAPI, not the
+    // PHP CLI SAPI. proc_open() will pass the environment to the child process,
+    // which will re-execute the webpage (causing an infinite number of
+    // processes to spawn). To test that the 'php' binary is safe to execute,
+    // we call php_sapi_name() using "env -i" to wipe the environment so it
+    // doesn't execute another reuqest if it's the wrong binary. We can't use
+    // "-r" because php-cgi doesn't support that flag.
+
+    $tmp_file = new TempFile('sapi.php');
+    Filesystem::writeFile($tmp_file, '<?php echo php_sapi_name();');
+
+    list($err, $stdout, $stderr) = exec_manual(
+      '/usr/bin/env -i %s -f %s',
+      $php_bin,
+      $tmp_file);
+    if ($err) {
+      self::writeFailure();
+      self::write("Unable to execute 'php' on the command line from the web ".
+                  "server.\n".
+                  "   err: {$err}\n".
+                  "stdout: {$stdout}\n".
+                  "stderr: {$stderr}\n");
+      return;
     } else {
       self::write(" okay  PHP is available from the command line.\n");
+
+      $sapi = trim($stdout);
+      if ($sapi != 'cli') {
+        self::writeFailure();
+        self::write(
+          "The 'php' binary on this system uses the '{$sapi}' SAPI, but the ".
+          "'cli' SAPI is expected. Replace 'php' with the php-cli SAPI ".
+          "binary, or edit your webserver configuration so the first 'php' ".
+          "in PATH is the 'cli' SAPI.\n\n".
+          "If you're running cPanel with suphp, the easiest way to fix this ".
+          "is to add '/usr/local/bin' before '/usr/bin' for 'env_path' in ".
+          "suconf.php:\n\n".
+          '  env_path="/bin:/usr/local/bin:/usr/bin"'.
+          "\n\n");
+        return;
+      } else {
+        self::write(" okay  'php' is CLI SAPI.\n");
+      }
     }
 
     $root = dirname(phutil_get_library_root('phabricator'));