Red Hat Bugzilla – Bug 129959
suexec broken with httpd-2.0.50-3 even with httpd-suexec installed
Last modified: 2007-11-30 17:10:47 EST
httpd was failing to enable suexec on start-up even when httpd-suexec
was installed. I recompiled httpd-2.0.50-3 from source, without
making any changes whatsoever to the SRPM, and installed my recompiled
RPM, and it's now enabling suexec correctly.
While I'm at it, I'd like to point out that your warning if
SuexecUserGroup is specified and /usr/sbin/suexec is not found is not
sufficient, because many people rely on suexec being used implicitly
for CGI scripts in user directories, and you're check won't warn if
that isn't working because suexec wasn't detected. This can introduce
security problems because it will allow user CGI scripts to run as
apache when they weren't before merely because the admin didn't know
to install httpd-suexec.
w.r.t first comment: had you installed httpd-suexec *before* starting
httpd? Otherwise suexec won't be enabled. I can't reproduce a
problem with that.
w.r.t second comment: yes, I'm concerned about that too. The only
solution I can really see is to add back an "httpd requires
httpd-suexec" change, which somewhat defeats the point of the change
in the first place. People would then have to install a dummy, empty
httpd-suexec package to prevent suexec from being used. It's not very
Yes, I restarted httpd. Several times. Didn't help. I can't
imagine that this has anything to do with my kernel version, but
perhaps it does. I'm using 2.4.27-pre2-pac1, not the Red Hat 2.6.x
kernel (because my machine locks up whenever I try to use it). I'm
also using a somewhat older glibc, 2.3.3-31, because newer ones have
a bug (#125948) with my kernel.
Ah, if you had apr-0.9.4-19 or earlier with httpd-2.0.50-3 there was a
constant mismatch which caused this; rebuilding would have fixed it.
apr-0.9.4-20 and later with (vanilla) httpd-2.0.50-3 and later will be
OK, but you'll get the issue again if you use the package you built
locally against -19 with a newer APR, sorry about this.
httpd-2.0.50-4 requires httpd-suexec again to prevent the security
model changing on upgrades. Update to this and apr-0.9.4-20 at the
same time and the problem should not recur.
Thanks a lot for the report.