httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Harris" <dhar...@drh.net>
Subject RE: RedHat RPM enables suexec by default?
Date Wed, 27 Oct 1999 13:51:18 GMT

Marc Slemko wrote:
> On Mon, 25 Oct 1999, David Harris wrote:
> >
> > Marc Slemko wrote:
> > > Does anyone know if this is true?
> > >
> > > If so, it seems... well... somewhat questionable to me.
> >
> > I don't see that in the Red Hat 6.0 Apache RPM:
>
> I think it is the 6.1 one that supposedly does it.

In the Red Hat 6.1 RPM suexec looks enabled by default...

The suexec binary is installed setuid-root..

$ rpm -qlpv apache-1.3.9-4.i386.rpm | grep sbin/suexec
-rws--x--x     root     root       9392 Sep 21 10:46 /usr/sbin/suexec

The binary points to the proper suexec location...

$ usr/sbin/httpd -V
Server version: Apache/1.3.9 (Unix)  (Red Hat/Linux)
Server built:   Sep 21 1999 10:46:27
Server's Module Magic Number: 19990320:6
Server compiled with....
 -D HAVE_MMAP
 -D HAVE_SHMGET
 -D USE_SHMGET_SCOREBOARD
 -D USE_MMAP_FILES
 -D USE_FCNTL_SERIALIZED_ACCEPT
 -D HTTPD_ROOT="/usr"
 -D SUEXEC_BIN="/usr/sbin/suexec"
[snip]

Here is the configuration for suexec from the SPEC file..

        --enable-suexec \
        --suexec-docroot=/home/httpd/html \
        --suexec-caller=nobody

The /home/httpd/html directory is owned by root and no user files are installed
in there by default, so the system administrator has to manually allow user
files in there. On the other hand setting the suexec-caller to nobody is, well,
annoying because it kind of cuts the legs off of the  "did the webserver run
suexec" check.

If you'd like I could submit this as a bug in the Red Hat Bugzilla database and
recommend that they simply remove the setuid bit on the /usr/sbin/suexec binary
and include a README.SUEXEC file which instructs the administrator how to
enable suexec. This makes good sense as most people will never use suexec and
the Apache Group strongly recommends that it not be enabled by default.

I just checked bugzilla and I don't see anyone else as having reported this
"problem" yet.

 - David Harris
   Principal Engineer, DRH Internet Services



Mime
View raw message