You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/04/29 01:11:34 UTC
DO NOT REPLY [Bug 34671] New: -
mod_suexec not privileges(5) aware
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=34671>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=34671
Summary: mod_suexec not privileges(5) aware
Product: Apache httpd-2.0
Version: 2.0.52
Platform: Sun
OS/Version: Solaris
Status: NEW
Severity: enhancement
Priority: P3
Component: mod_suexec
AssignedTo: bugs@httpd.apache.org
ReportedBy: ceri@submonkey.net
Solaris 10 provides a mechanism for specifying fine-grained permissions that can
be used in the case of suexec to avoid the requirement of having the suexec
binary setuid. However, httpd will check for the setuid bit on startup, making
this mechanism difficult to use (even though it works perfectly well).
For example, after the setuid bit is removed from the suexec wrapper below, the
suexec mechanism continues to work perfectly well, as the web server has
permission to change effective uid at will due to the proc_setid privilege.
Unfortunately, it is still necessary to set the setuid bit on the suexec wrapper
as otherwise the mechanism is not enabled.
$ id
uid=80(www) gid=80:(webservd)
$ ppriv -S $$
5672: -pfsh
flags = <none>
E: basic,net_privaddr,proc_setid
I: basic,net_privaddr,proc_setid
P: basic,net_privaddr,proc_setid
L: zone
$ su -
# chmod u+s /usr/apache2/bin/suexec
# ^D
$ apachectl start
$ grep -i suexec /var/apache2/logs/error_log
[Fri Apr 29 00:06:58 2005] [notice] suEXEC mechanism enabled (wrapper:
/usr/apache2/bin/suexec)
$ su -
# chmod u-s /usr/apache2/bin/suexec
#
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org