ok, i know that a root suid binary is not a nice default, because we all love being safe and anyone who really cares can add the suid bit itself. any other should not need to even be worried. ..but, suexec seems pretty innocent to me, and adding the suid bit to a binary would rise an alarm on a normal (an also pretty innocent) rpm -Va or tripwire --check. suexec (AFAIK) won't work unless it is not suid but you could not be aware of that as there is no manual (unless you install apache-manual and therefore have a not nice browseable manual hanging on your company's homepage), nor even a readme. would be so dangerous to just add +s to suexec and make it work on default?, my guess is that if it is enabled it should be ready to work, otherwise shouldn't be enabled on default and would need a manual rebuild anyway
as suggested by Jose Buysse <buysse.umn.edu>, a better solution should be to keep suexec fully functional but on a separate package and not installed by default. i've made such a package adding a -suexec package and works pretty well : suexec is root suid but won't get installed with apache, if suexec is needed all what is needed is to install apache-suexec and restart the apache server. next time apache would see a fully functional suexec and use it. from -3 SPEC and implementing also the #20269 fixes is available a new SRPMS on ftp://sajino.terra.com.pe/pub/linux/redhat/carenas/7.0/SRPMS/apache-1.3.14-4.src.rpm that i am happy user :) there is also a backport for 6.x if you are lucky dig a little on that site ;)
Created attachment 4994 [details] patch adding the -suexec subpackage definition
There is another very elegant solution: Now that apache runs under its own user (and presumably group), the correct way to fix this is to make "suexec" suid-root, group apache, executable by group but not other. Comments?
Permission on the suexec binary will be changed to 04710, owner root, group apache in apache-1.3.14-7 and later. Thanks!
bbrock pointed out that I should probably log that we've decided on 04510 instead.
this could sound silly now that the permision are so restrictive but taking suexec into it's own RPM is a nice thing that could be done too. for sure, anyone who needs suexec can install the corresponding apache-suexec RPM and restart apache, and who don't knows/don't cares has no suid binary on their innocent apache instalation.
The user who doesn't know tends to install "Everything", so the binary would be installed anyway on many machines where it would not truly be needed.