From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows; U; AIIEEEE!; Win98; Windows 98; en-US; Gecko masquerading as IE; should it matter?; rv:1.8b) Gecko/20050217
Description of problem:
In the httpd.spec file there are some strange values for --with-suexec-uidmin (500) and --with-suexec-gidmin (100). They are strange because normally users are create with same numerical values for uid and gid. It is also silly to do that sort of configuration at compile time because it will never be right for all systems. At the very least they should be made identical, and be given a numerical value that will match what upgraded systems will have uids starting at (say, 200).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Actual Results: See above
Expected Results: They should have sensible values.
There should be a configuration section in httpd.conf for suexec. After all, only root can normally edit httpd.conf, but any user can compile httpd source!
That's true except when users are created in the "users" group - that's why the
minimum gid was dropped to 100. Again, this is hard-coded by design, to allow
the absolute minimum risk of security issues.
(In reply to comment #1)
> That's true except when users are created in the "users" group - that's why the
> minimum gid was dropped to 100. Again, this is hard-coded by design, to allow
> the absolute minimum risk of security issues.
Then why does httpd have a configuration file? Isn't that a security risk? Hey,
maybe we should do "rm -fr /" because the mere existence of files is a security
This current worldwide plague of paranoia is farcical. It just takes one lame
programmer with a hightened sense of paranoid delusion (and nothing better to do
with his creativity) to totally devastate the utility of a program.
I have created a patch to use configuration data from httpd.conf. It is freely
available on my web site. Have a nice day.