You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/04/29 01:11:34 UTC

DO NOT REPLY [Bug 34671] New: - mod_suexec not privileges(5) aware

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=34671>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34671

           Summary: mod_suexec not privileges(5) aware
           Product: Apache httpd-2.0
           Version: 2.0.52
          Platform: Sun
        OS/Version: Solaris
            Status: NEW
          Severity: enhancement
          Priority: P3
         Component: mod_suexec
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: ceri@submonkey.net


Solaris 10 provides a mechanism for specifying fine-grained permissions that can
be used in the case of suexec to avoid the requirement of having the suexec
binary setuid.  However, httpd will check for the setuid bit on startup, making
this mechanism difficult to use (even though it works perfectly well).

For example, after the setuid bit is removed from the suexec wrapper below, the
suexec mechanism continues to work perfectly well, as the web server has
permission to change effective uid at will due to the proc_setid privilege.
Unfortunately, it is still necessary to set the setuid bit on the suexec wrapper
as otherwise the mechanism is not enabled.

$ id
uid=80(www) gid=80:(webservd)
$ ppriv -S $$
5672:	-pfsh
flags = <none>
		E: basic,net_privaddr,proc_setid
		I: basic,net_privaddr,proc_setid
		P: basic,net_privaddr,proc_setid
		L: zone
$ su -
# chmod u+s /usr/apache2/bin/suexec
# ^D
$ apachectl start
$ grep -i suexec /var/apache2/logs/error_log
[Fri Apr 29 00:06:58 2005] [notice] suEXEC mechanism enabled (wrapper:
/usr/apache2/bin/suexec)
$ su -
# chmod u-s /usr/apache2/bin/suexec
#

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org