ok, i know that a root suid binary is not a nice default, because we all
love being safe and anyone who really cares can add the suid bit itself.
any other should not need to even be worried.
..but, suexec seems pretty innocent to me, and adding the suid bit to a
binary would rise an alarm on a normal (an also pretty innocent) rpm -Va or
suexec (AFAIK) won't work unless it is not suid but you could not be aware
of that as there is no manual (unless you install apache-manual and
therefore have a not nice browseable manual hanging on your company's
homepage), nor even a readme.
would be so dangerous to just add +s to suexec and make it work on
default?, my guess is that if it is enabled it should be ready to work,
otherwise shouldn't be enabled on default and would need a manual rebuild
as suggested by Jose Buysse <firstname.lastname@example.org>, a better solution
should be to keep suexec fully functional but on a separate package and not
installed by default.
i've made such a package adding a -suexec package and works pretty well :
suexec is root suid but won't get installed with apache, if suexec is needed all
what is needed is to install apache-suexec and restart the apache server.
next time apache would see a fully functional suexec and use it.
from -3 SPEC and implementing also the #20269 fixes is available a new SRPMS on
that i am happy user :)
there is also a backport for 6.x if you are lucky dig a little on that site ;)
Created attachment 4994 [details]
patch adding the -suexec subpackage definition
There is another very elegant solution:
Now that apache runs under its own user (and presumably group), the
correct way to fix this is to make "suexec" suid-root, group apache,
executable by group but not other.
Permission on the suexec binary will be changed to 04710, owner root, group
apache in apache-1.3.14-7 and later. Thanks!
bbrock pointed out that I should probably log that we've decided on 04510
this could sound silly now that the permision are so restrictive but taking
suexec into it's own RPM is a nice thing that could be done too.
for sure, anyone who needs suexec can install the corresponding apache-suexec
RPM and restart apache, and who don't knows/don't cares has no suid binary on
their innocent apache instalation.
The user who doesn't know tends to install "Everything", so the binary would be
installed anyway on many machines where it would not truly be needed.