Bug 20270
Summary: | suexec is not suid as it should to be usefull | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Arenas Belon, Carlo Marcelo <carenas> | ||||
Component: | apache | Assignee: | Nalin Dahyabhai <nalin> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Dale Lovelace <dale> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7.1 | CC: | chris, dr, pekkas | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2001-01-10 18:17:48 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Arenas Belon, Carlo Marcelo
2000-11-03 07:50:55 UTC
as suggested by Jose Buysse <buysse.umn.edu>, a better solution should be to keep suexec fully functional but on a separate package and not installed by default. i've made such a package adding a -suexec package and works pretty well : suexec is root suid but won't get installed with apache, if suexec is needed all what is needed is to install apache-suexec and restart the apache server. next time apache would see a fully functional suexec and use it. from -3 SPEC and implementing also the #20269 fixes is available a new SRPMS on ftp://sajino.terra.com.pe/pub/linux/redhat/carenas/7.0/SRPMS/apache-1.3.14-4.src.rpm that i am happy user :) there is also a backport for 6.x if you are lucky dig a little on that site ;) Created attachment 4994 [details]
patch adding the -suexec subpackage definition
There is another very elegant solution: Now that apache runs under its own user (and presumably group), the correct way to fix this is to make "suexec" suid-root, group apache, executable by group but not other. Comments? Permission on the suexec binary will be changed to 04710, owner root, group apache in apache-1.3.14-7 and later. Thanks! bbrock pointed out that I should probably log that we've decided on 04510 instead. this could sound silly now that the permision are so restrictive but taking suexec into it's own RPM is a nice thing that could be done too. for sure, anyone who needs suexec can install the corresponding apache-suexec RPM and restart apache, and who don't knows/don't cares has no suid binary on their innocent apache instalation. The user who doesn't know tends to install "Everything", so the binary would be installed anyway on many machines where it would not truly be needed. |