Bug 183614 - Strange values for configuration --with-suexec-uidmin and --with-suexec-gidmin
Summary: Strange values for configuration --with-suexec-uidmin and --with-suexec-gidmin
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: httpd   
(Show other bugs)
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-02 10:40 UTC by JW
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-02 12:22:43 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description JW 2006-03-02 10:40:02 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows; U; AIIEEEE!; Win98; Windows 98; en-US; Gecko masquerading as IE; should it matter?; rv:1.8b) Gecko/20050217

Description of problem:
In the httpd.spec file there are some strange values for --with-suexec-uidmin (500) and --with-suexec-gidmin (100). They are strange because normally users are create with same numerical values for uid and gid.  It is also silly to do that sort of configuration at compile time because it will never be right for all systems.  At the very least they should be made identical, and be given a numerical value that will match what upgraded systems will have uids starting at (say, 200).



Version-Release number of selected component (if applicable):
httpd-2.0.54-10.2

How reproducible:
Always

Steps to Reproduce:
1.Read httpd.spec
2.
3.
  

Actual Results:  See above


Expected Results:  They should have sensible values.


Additional info:

There should be a configuration section in httpd.conf for suexec.  After all, only root can normally edit httpd.conf, but any user can compile httpd source!

Comment 1 Joe Orton 2006-03-02 12:22:43 UTC
That's true except when users are created in the "users" group - that's why the
minimum gid was dropped to 100.  Again, this is hard-coded by design, to allow
the absolute minimum risk of security issues.

Comment 2 JW 2006-03-02 12:59:43 UTC
(In reply to comment #1)
> That's true except when users are created in the "users" group - that's why the
> minimum gid was dropped to 100.  Again, this is hard-coded by design, to allow
> the absolute minimum risk of security issues.

Then why does httpd have a configuration file? Isn't that a security risk? Hey,
maybe we should do "rm -fr /" because the mere existence of files is a security
issue.

This current worldwide plague of paranoia is farcical. It just takes one lame
programmer with a hightened sense of paranoid delusion (and nothing better to do
with his creativity) to totally devastate the utility of a program.

I have created a patch to use configuration data from httpd.conf. It is freely
available on my web site. Have a nice day.



Note You need to log in before you can comment on or make changes to this bug.