Bug 183614

Summary: Strange values for configuration --with-suexec-uidmin and --with-suexec-gidmin
Product: [Fedora] Fedora Reporter: JW <ohtmvyyn>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-02 12:22:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description JW 2006-03-02 10:40:02 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows; U; AIIEEEE!; Win98; Windows 98; en-US; Gecko masquerading as IE; should it matter?; rv:1.8b) Gecko/20050217

Description of problem:
In the httpd.spec file there are some strange values for --with-suexec-uidmin (500) and --with-suexec-gidmin (100). They are strange because normally users are create with same numerical values for uid and gid.  It is also silly to do that sort of configuration at compile time because it will never be right for all systems.  At the very least they should be made identical, and be given a numerical value that will match what upgraded systems will have uids starting at (say, 200).



Version-Release number of selected component (if applicable):
httpd-2.0.54-10.2

How reproducible:
Always

Steps to Reproduce:
1.Read httpd.spec
2.
3.
  

Actual Results:  See above


Expected Results:  They should have sensible values.


Additional info:

There should be a configuration section in httpd.conf for suexec.  After all, only root can normally edit httpd.conf, but any user can compile httpd source!
Comment 1 Joe Orton 2006-03-02 12:22:43 UTC 
That's true except when users are created in the "users" group - that's why the
minimum gid was dropped to 100.  Again, this is hard-coded by design, to allow
the absolute minimum risk of security issues.
Comment 2 JW 2006-03-02 12:59:43 UTC 
(In reply to comment #1)
> That's true except when users are created in the "users" group - that's why the
> minimum gid was dropped to 100.  Again, this is hard-coded by design, to allow
> the absolute minimum risk of security issues.

Then why does httpd have a configuration file? Isn't that a security risk? Hey,
maybe we should do "rm -fr /" because the mere existence of files is a security
issue.

This current worldwide plague of paranoia is farcical. It just takes one lame
programmer with a hightened sense of paranoid delusion (and nothing better to do
with his creativity) to totally devastate the utility of a program.

I have created a patch to use configuration data from httpd.conf. It is freely
available on my web site. Have a nice day.