Bug 129959 - suexec broken with httpd-2.0.50-3 even with httpd-suexec installed
Summary: suexec broken with httpd-2.0.50-3 even with httpd-suexec installed
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: httpd
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: FC3Target
TreeView+ depends on / blocked
 
Reported: 2004-08-15 19:08 UTC by Jonathan Kamens
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version: 2.0.50-4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-08-20 08:27:28 UTC


Attachments (Terms of Use)

Description Jonathan Kamens 2004-08-15 19:08:30 UTC
httpd was failing to enable suexec on start-up even when httpd-suexec
was installed.  I recompiled httpd-2.0.50-3 from source, without
making any changes whatsoever to the SRPM, and installed my recompiled
RPM, and it's now enabling suexec correctly.

While I'm at it, I'd like to point out that your warning if
SuexecUserGroup is specified and /usr/sbin/suexec is not found is not
sufficient, because many people rely on suexec being used implicitly
for CGI scripts in user directories, and you're check won't warn if
that isn't working because suexec wasn't detected.  This can introduce
security problems because it will allow user CGI scripts to run as
apache when they weren't before merely because the admin didn't know
to install httpd-suexec.

Comment 1 Joe Orton 2004-08-17 10:18:15 UTC
w.r.t first comment: had you installed httpd-suexec *before* starting
httpd?  Otherwise suexec won't be enabled.  I can't reproduce a
problem with that.

w.r.t second comment: yes, I'm concerned about that too.  The only
solution I can really see is to add back an "httpd requires
httpd-suexec" change, which somewhat defeats the point of the change
in the first place.  People would then have to install a dummy, empty
httpd-suexec package to prevent suexec from being used.  It's not very
pretty.


Comment 2 Jonathan Kamens 2004-08-19 20:35:26 UTC
Yes, I restarted httpd.  Several times.  Didn't help.  I can't 
imagine that this has anything to do with my kernel version, but 
perhaps it does.  I'm using 2.4.27-pre2-pac1, not the Red Hat 2.6.x 
kernel (because my machine locks up whenever I try to use it).  I'm 
also using a somewhat older glibc, 2.3.3-31, because newer ones have 
a bug (#125948) with my kernel.


Comment 3 Joe Orton 2004-08-20 08:27:28 UTC
Ah, if you had apr-0.9.4-19 or earlier with httpd-2.0.50-3 there was a
constant mismatch which caused this; rebuilding would have fixed it.

apr-0.9.4-20 and later with (vanilla) httpd-2.0.50-3 and later will be
OK, but you'll get the issue again if you use the package you built
locally against -19 with a newer APR, sorry about this.

httpd-2.0.50-4 requires httpd-suexec again to prevent the security
model changing on upgrades.  Update to this and apr-0.9.4-20 at the
same time and the problem should not recur.

Thanks a lot for the report.


Note You need to log in before you can comment on or make changes to this bug.