From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows; U; AIIEEEE!; Win98; Windows 98; en-US; Gecko masquerading as IE; should it matter?; rv:1.8b) Gecko/20050217 Description of problem: In the httpd.spec file there are some strange values for --with-suexec-uidmin (500) and --with-suexec-gidmin (100). They are strange because normally users are create with same numerical values for uid and gid. It is also silly to do that sort of configuration at compile time because it will never be right for all systems. At the very least they should be made identical, and be given a numerical value that will match what upgraded systems will have uids starting at (say, 200). Version-Release number of selected component (if applicable): httpd-2.0.54-10.2 How reproducible: Always Steps to Reproduce: 1.Read httpd.spec 2. 3. Actual Results: See above Expected Results: They should have sensible values. Additional info: There should be a configuration section in httpd.conf for suexec. After all, only root can normally edit httpd.conf, but any user can compile httpd source!
That's true except when users are created in the "users" group - that's why the minimum gid was dropped to 100. Again, this is hard-coded by design, to allow the absolute minimum risk of security issues.
(In reply to comment #1) > That's true except when users are created in the "users" group - that's why the > minimum gid was dropped to 100. Again, this is hard-coded by design, to allow > the absolute minimum risk of security issues. Then why does httpd have a configuration file? Isn't that a security risk? Hey, maybe we should do "rm -fr /" because the mere existence of files is a security issue. This current worldwide plague of paranoia is farcical. It just takes one lame programmer with a hightened sense of paranoid delusion (and nothing better to do with his creativity) to totally devastate the utility of a program. I have created a patch to use configuration data from httpd.conf. It is freely available on my web site. Have a nice day.