Bug 183614 - Strange values for configuration --with-suexec-uidmin and --with-suexec-gidmin
Strange values for configuration --with-suexec-uidmin and --with-suexec-gidmin
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-02 05:40 EST by JW
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-02 07:22:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description JW 2006-03-02 05:40:02 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows; U; AIIEEEE!; Win98; Windows 98; en-US; Gecko masquerading as IE; should it matter?; rv:1.8b) Gecko/20050217

Description of problem:
In the httpd.spec file there are some strange values for --with-suexec-uidmin (500) and --with-suexec-gidmin (100). They are strange because normally users are create with same numerical values for uid and gid.  It is also silly to do that sort of configuration at compile time because it will never be right for all systems.  At the very least they should be made identical, and be given a numerical value that will match what upgraded systems will have uids starting at (say, 200).



Version-Release number of selected component (if applicable):
httpd-2.0.54-10.2

How reproducible:
Always

Steps to Reproduce:
1.Read httpd.spec
2.
3.
  

Actual Results:  See above


Expected Results:  They should have sensible values.


Additional info:

There should be a configuration section in httpd.conf for suexec.  After all, only root can normally edit httpd.conf, but any user can compile httpd source!
Comment 1 Joe Orton 2006-03-02 07:22:43 EST
That's true except when users are created in the "users" group - that's why the
minimum gid was dropped to 100.  Again, this is hard-coded by design, to allow
the absolute minimum risk of security issues.
Comment 2 JW 2006-03-02 07:59:43 EST
(In reply to comment #1)
> That's true except when users are created in the "users" group - that's why the
> minimum gid was dropped to 100.  Again, this is hard-coded by design, to allow
> the absolute minimum risk of security issues.

Then why does httpd have a configuration file? Isn't that a security risk? Hey,
maybe we should do "rm -fr /" because the mere existence of files is a security
issue.

This current worldwide plague of paranoia is farcical. It just takes one lame
programmer with a hightened sense of paranoid delusion (and nothing better to do
with his creativity) to totally devastate the utility of a program.

I have created a patch to use configuration data from httpd.conf. It is freely
available on my web site. Have a nice day.

Note You need to log in before you can comment on or make changes to this bug.