Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#6028 - apache 2 suexec: do not limit user to nobody
Attached to Project:
Arch Linux
Opened by Glenn Matthys (RedShift) - Sunday, 17 December 2006, 22:55 GMT
Last edited by Aaron Griffin (phrakture) - Wednesday, 09 July 2008, 16:23 GMT
Opened by Glenn Matthys (RedShift) - Sunday, 17 December 2006, 22:55 GMT
Last edited by Aaron Griffin (phrakture) - Wednesday, 09 July 2008, 16:23 GMT
|
DetailsThe PKGBUILD specifies "nobody" as the httpd user/group.
instead of " sed -i 's|^#define AP_HTTPD_USER.*$|#define AP_HTTPD_USER "nobody"|' \ support/suexec.h" we should just compile apache with --enable-suexec --with-suexec-bin=/usr/bin/suexec this way it should allow other user/group to be specified in httpd.conf note that I did not test these changes, I am merely following "At least one --with-suexec-xxxxx option has to be provided together with the --enable-suexec option to let APACI accept your request for using the suEXEC feature." from http://httpd.apache.org/docs/2.2/suexec.html |
This task depends upon
Comment by Glenn Matthys (RedShift) -
Sunday, 17 December 2006, 22:55 GMT
Oh crap just saw I forgot to select the right category, this should belong in Packages: current. Sorry.
Comment by Niel Drummond (cyanescent) -
Friday, 18 May 2007, 21:15 GMT
I'm not sure I'd want my apache instance running in suexec mode (shouldn't this be something you could do with abs?). I was actually quite disappointed that apache installs with the nobody account. this has traditionally been a popular attack vector.
Comment by Glenn Matthys (RedShift) -
Friday, 17 August 2007, 18:18 GMT
Suexec isn't enabled by default, you have to configure apache to use it. So it's pretty safe :-) I don't see how the nobody user can be abused: it has no shell and therefore can't login, plus there are no files owned by nobody by default.
Comment by Niel Drummond (cyanescent) -
Friday, 17 August 2007, 21:03 GMT
yes of course, the issues come when another maintainer chooses nobody, writes his pid file as nobody, and lets a vulnerability close up your apache process. Or maybe a php dev writes his scripts as nobody.. it's just a bad practice, not a golden rule.
Comment by Aaron Griffin (phrakture) -
Thursday, 19 June 2008, 18:13 GMT
Pierre, are you ok with closing this?