Bug 20270 - suexec is not suid as it should to be usefull
suexec is not suid as it should to be usefull
Product: Red Hat Linux
Classification: Retired
Component: apache (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Dale Lovelace
Depends On:
  Show dependency treegraph
Reported: 2000-11-03 02:50 EST by Arenas Belon, Carlo Marcelo
Modified: 2007-04-18 12:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-01-10 13:17:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch adding the -suexec subpackage definition (1.74 KB, patch)
2000-11-03 09:31 EST, Arenas Belon, Carlo Marcelo
no flags Details | Diff

  None (edit)
Description Arenas Belon, Carlo Marcelo 2000-11-03 02:50:55 EST
ok, i know that a root suid binary is not a nice default, because we all
love being safe and anyone who really cares can add the suid bit itself.

any other should not need to even be worried.

..but, suexec seems pretty innocent to me, and adding the suid bit to a
binary would rise an alarm on a normal (an also pretty innocent) rpm -Va or
tripwire --check.

suexec (AFAIK) won't work unless it is not suid but you could not be aware
of that as there is no manual (unless you install apache-manual and
therefore have a not nice browseable manual hanging on your company's
homepage), nor even a readme.

would be so dangerous to just add +s to suexec and make it work on
default?, my guess is that if it is enabled it should be ready to work,
otherwise shouldn't be enabled on default and would need a manual rebuild
Comment 1 Arenas Belon, Carlo Marcelo 2000-11-03 09:30:03 EST
as suggested by Jose Buysse <buysse@atlas.socsci.umn.edu>, a better solution
should be to keep suexec fully functional but on a separate package and not
installed by default.

i've made such a package adding a -suexec package and works pretty well :

suexec is root suid but won't get installed with apache, if suexec is needed all
what is needed is to install apache-suexec and restart the apache server.

next time apache would see a fully functional suexec and use it.

from -3 SPEC and implementing also the #20269 fixes is available a new SRPMS on
that i am happy user :)

there is also a backport for 6.x if you are lucky dig a little on that site ;)
Comment 2 Arenas Belon, Carlo Marcelo 2000-11-03 09:31:32 EST
Created attachment 4994 [details]
patch adding the -suexec subpackage definition
Comment 3 Chris Evans 2001-01-04 06:22:37 EST
There is another very elegant solution:

Now that apache runs under its own user (and presumably group), the
correct way to fix this is to make "suexec" suid-root, group apache,
executable by group but not other.

Comment 4 Nalin Dahyabhai 2001-01-11 21:26:11 EST
Permission on the suexec binary will be changed to 04710, owner root, group
apache in apache-1.3.14-7 and later.  Thanks!
Comment 5 Nalin Dahyabhai 2001-02-02 12:42:21 EST
bbrock pointed out that I should probably log that we've decided on 04510
Comment 6 Arenas Belon, Carlo Marcelo 2001-02-02 13:18:00 EST
this could sound silly now that the permision are so restrictive but taking
suexec into it's own RPM is a nice thing that could be done too.

for sure, anyone who needs suexec can install the corresponding apache-suexec
RPM and restart apache, and who don't knows/don't cares has no suid binary on
their innocent apache instalation.
Comment 7 Nalin Dahyabhai 2001-02-02 21:52:54 EST
The user who doesn't know tends to install "Everything", so the binary would be
installed anyway on many machines where it would not truly be needed.

Note You need to log in before you can comment on or make changes to this bug.