Bug 20270

Summary: suexec is not suid as it should to be usefull
Product: [Retired] Red Hat Linux Reporter: Arenas Belon, Carlo Marcelo <carenas>
Component: apacheAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED RAWHIDE QA Contact: Dale Lovelace <dale>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: chris, dr, pekkas
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-01-10 18:17:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch adding the -suexec subpackage definition none

Description Arenas Belon, Carlo Marcelo 2000-11-03 07:50:55 UTC 
ok, i know that a root suid binary is not a nice default, because we all
love being safe and anyone who really cares can add the suid bit itself.

any other should not need to even be worried.

..but, suexec seems pretty innocent to me, and adding the suid bit to a
binary would rise an alarm on a normal (an also pretty innocent) rpm -Va or
tripwire --check.

suexec (AFAIK) won't work unless it is not suid but you could not be aware
of that as there is no manual (unless you install apache-manual and
therefore have a not nice browseable manual hanging on your company's
homepage), nor even a readme.

would be so dangerous to just add +s to suexec and make it work on
default?, my guess is that if it is enabled it should be ready to work,
otherwise shouldn't be enabled on default and would need a manual rebuild
anyway
Comment 1 Arenas Belon, Carlo Marcelo 2000-11-03 14:30:03 UTC 
as suggested by Jose Buysse <buysse.umn.edu>, a better solution
should be to keep suexec fully functional but on a separate package and not
installed by default.

i've made such a package adding a -suexec package and works pretty well :

suexec is root suid but won't get installed with apache, if suexec is needed all
what is needed is to install apache-suexec and restart the apache server.

next time apache would see a fully functional suexec and use it.

from -3 SPEC and implementing also the #20269 fixes is available a new SRPMS on
ftp://sajino.terra.com.pe/pub/linux/redhat/carenas/7.0/SRPMS/apache-1.3.14-4.src.rpm
that i am happy user :)

there is also a backport for 6.x if you are lucky dig a little on that site ;)
Comment 2 Arenas Belon, Carlo Marcelo 2000-11-03 14:31:32 UTC 
Created attachment 4994 [details]
patch adding the -suexec subpackage definition
Comment 3 Chris Evans 2001-01-04 11:22:37 UTC 
There is another very elegant solution:

Now that apache runs under its own user (and presumably group), the
correct way to fix this is to make "suexec" suid-root, group apache,
executable by group but not other.

Comments?
Comment 4 Nalin Dahyabhai 2001-01-12 02:26:11 UTC 
Permission on the suexec binary will be changed to 04710, owner root, group
apache in apache-1.3.14-7 and later.  Thanks!
Comment 5 Nalin Dahyabhai 2001-02-02 17:42:21 UTC 
bbrock pointed out that I should probably log that we've decided on 04510
instead.
Comment 6 Arenas Belon, Carlo Marcelo 2001-02-02 18:18:00 UTC 
this could sound silly now that the permision are so restrictive but taking
suexec into it's own RPM is a nice thing that could be done too.

for sure, anyone who needs suexec can install the corresponding apache-suexec
RPM and restart apache, and who don't knows/don't cares has no suid binary on
their innocent apache instalation.
Comment 7 Nalin Dahyabhai 2001-02-03 02:52:54 UTC 
The user who doesn't know tends to install "Everything", so the binary would be
installed anyway on many machines where it would not truly be needed.