httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Magnus Stenman <>
Subject Re: RedHat RPM enables suexec by default?
Date Tue, 26 Oct 1999 12:11:57 GMT
Yep, its there, and the binary seems to be compiled
with suexec enabled:

(and suexec is not suid in the mod_ssl RPMs since many
 versions back, thanks for the  suggestion :)

./httpd -V
Server version: Apache/1.3.9 (Unix)  (Red Hat/Linux)
Server built:   Sep 21 1999 10:46:27
Server's Module Magic Number: 19990320:6
Server compiled with....
 -D HTTPD_ROOT="/usr"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="/var/run/"
 -D DEFAULT_SCOREBOARD="/var/run/httpd.scoreboard"
 -D DEFAULT_LOCKFILE="/var/run/httpd.lock"
 -D DEFAULT_XFERLOG="/var/log/httpd/access_log"
 -D DEFAULT_ERRORLOG="/var/log/httpd/error_log"
 -D TYPES_CONFIG_FILE="/etc/httpd/conf/mime.types"
 -D SERVER_CONFIG_FILE="/etc/httpd/conf/httpd.conf"
 -D ACCESS_CONFIG_FILE="/etc/httpd/conf/access.conf"
 -D RESOURCE_CONFIG_FILE="/etc/httpd/conf/srm.conf"                 

David Harris wrote:
> Marc Slemko wrote:
> > Does anyone know if this is true?
> >
> > If so, it seems... well... somewhat questionable to me.
> I don't see that in the Red Hat 6.0 Apache RPM:
> # rpm -q apache
> apache-1.3.6-7
> # rpm -ql apache | grep suexec
> /home/httpd/html/manual/suexec.html
> /home/httpd/html/manual/suexec_1_2.html
> I agree that it would be questionable. I helped out the maintainer of the
> apache-mod_ssl RPM by recommending that he distribute the RPM with the
> setuid-bit on the suexec binary removed. This way a user would have to enable
> it manually to be bitten.
>  - David Harris
>    Principal Engineer, DRH Internet Services

 Magnus Stenman

 ...all in all, it's just another rule in the firewall. /Ping Flood

View raw message