httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject RE: RedHat RPM enables suexec by default?
Date Tue, 26 Oct 1999 00:21:25 GMT
On Mon, 25 Oct 1999, David Harris wrote:

> 
> Marc Slemko wrote:
> > Does anyone know if this is true?
> >
> > If so, it seems... well... somewhat questionable to me.
> 
> I don't see that in the Red Hat 6.0 Apache RPM:

I think it is the 6.1 one that supposedly does it.

> # rpm -q apache
> apache-1.3.6-7
> # rpm -ql apache | grep suexec
> /home/httpd/html/manual/suexec.html
> /home/httpd/html/manual/suexec_1_2.html
> 
> I agree that it would be questionable. I helped out the maintainer of the
> apache-mod_ssl RPM by recommending that he distribute the RPM with the
> setuid-bit on the suexec binary removed. This way a user would have to enable
> it manually to be bitten.

Yup.  In many situations, suexec makes your server far less secure.  In
some other cases, it can make it far more secure.  


Mime
View raw message