Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#6028 - apache 2 suexec: do not limit user to nobody
Attached to Project:
Arch Linux
Opened by Glenn Matthys (RedShift) - Sunday, 17 December 2006, 22:55 GMT
Last edited by Aaron Griffin (phrakture) - Wednesday, 09 July 2008, 16:23 GMT
Opened by Glenn Matthys (RedShift) - Sunday, 17 December 2006, 22:55 GMT
Last edited by Aaron Griffin (phrakture) - Wednesday, 09 July 2008, 16:23 GMT
|
DetailsThe PKGBUILD specifies "nobody" as the httpd user/group.
instead of " sed -i 's|^#define AP_HTTPD_USER.*$|#define AP_HTTPD_USER "nobody"|' \ support/suexec.h" we should just compile apache with --enable-suexec --with-suexec-bin=/usr/bin/suexec this way it should allow other user/group to be specified in httpd.conf note that I did not test these changes, I am merely following "At least one --with-suexec-xxxxx option has to be provided together with the --enable-suexec option to let APACI accept your request for using the suEXEC feature." from http://httpd.apache.org/docs/2.2/suexec.html |
This task depends upon

Oh crap just saw I forgot to select the right category, this should belong in Packages: current. Sorry.

I'm not sure I'd want my apache instance running in suexec mode (shouldn't this be something you could do with abs?). I was actually quite disappointed that apache installs with the nobody account. this has traditionally been a popular attack vector.

Suexec isn't enabled by default, you have to configure apache to use it. So it's pretty safe :-) I don't see how the nobody user can be abused: it has no shell and therefore can't login, plus there are no files owned by nobody by default.

yes of course, the issues come when another maintainer chooses nobody, writes his pid file as nobody, and lets a vulnerability close up your apache process. Or maybe a php dev writes his scripts as nobody.. it's just a bad practice, not a golden rule.

Pierre, are you ok with closing this?