Bug 129959 - suexec broken with httpd-2.0.50-3 even with httpd-suexec installed
suexec broken with httpd-2.0.50-3 even with httpd-suexec installed
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
:
Depends On:
Blocks: FC3Target
  Show dependency treegraph
 
Reported: 2004-08-15 15:08 EDT by Jonathan Kamens
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.0.50-4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-20 04:27:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jonathan Kamens 2004-08-15 15:08:30 EDT
httpd was failing to enable suexec on start-up even when httpd-suexec
was installed.  I recompiled httpd-2.0.50-3 from source, without
making any changes whatsoever to the SRPM, and installed my recompiled
RPM, and it's now enabling suexec correctly.

While I'm at it, I'd like to point out that your warning if
SuexecUserGroup is specified and /usr/sbin/suexec is not found is not
sufficient, because many people rely on suexec being used implicitly
for CGI scripts in user directories, and you're check won't warn if
that isn't working because suexec wasn't detected.  This can introduce
security problems because it will allow user CGI scripts to run as
apache when they weren't before merely because the admin didn't know
to install httpd-suexec.
Comment 1 Joe Orton 2004-08-17 06:18:15 EDT
w.r.t first comment: had you installed httpd-suexec *before* starting
httpd?  Otherwise suexec won't be enabled.  I can't reproduce a
problem with that.

w.r.t second comment: yes, I'm concerned about that too.  The only
solution I can really see is to add back an "httpd requires
httpd-suexec" change, which somewhat defeats the point of the change
in the first place.  People would then have to install a dummy, empty
httpd-suexec package to prevent suexec from being used.  It's not very
pretty.
Comment 2 Jonathan Kamens 2004-08-19 16:35:26 EDT
Yes, I restarted httpd.  Several times.  Didn't help.  I can't 
imagine that this has anything to do with my kernel version, but 
perhaps it does.  I'm using 2.4.27-pre2-pac1, not the Red Hat 2.6.x 
kernel (because my machine locks up whenever I try to use it).  I'm 
also using a somewhat older glibc, 2.3.3-31, because newer ones have 
a bug (#125948) with my kernel.
Comment 3 Joe Orton 2004-08-20 04:27:28 EDT
Ah, if you had apr-0.9.4-19 or earlier with httpd-2.0.50-3 there was a
constant mismatch which caused this; rebuilding would have fixed it.

apr-0.9.4-20 and later with (vanilla) httpd-2.0.50-3 and later will be
OK, but you'll get the issue again if you use the package you built
locally against -19 with a newer APR, sorry about this.

httpd-2.0.50-4 requires httpd-suexec again to prevent the security
model changing on upgrades.  Update to this and apr-0.9.4-20 at the
same time and the problem should not recur.

Thanks a lot for the report.

Note You need to log in before you can comment on or make changes to this bug.