FS#6028 - apache 2 suexec: do not limit user to nobody

Attached to Project: Arch Linux
Opened by Glenn Matthys (RedShift) - Sunday, 17 December 2006, 22:55 GMT
Last edited by Aaron Griffin (phrakture) - Wednesday, 09 July 2008, 16:23 GMT
Task Type Bug Report
Category Packages: Current
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity High
Priority Normal
Reported Version 0.7.2 Gimmick
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

The PKGBUILD specifies "nobody" as the httpd user/group.

instead of

" sed -i 's|^#define AP_HTTPD_USER.*$|#define AP_HTTPD_USER "nobody"|' \
support/suexec.h"

we should just compile apache with
--enable-suexec --with-suexec-bin=/usr/bin/suexec

this way it should allow other user/group to be specified in httpd.conf

note that I did not test these changes, I am merely following
"At least one --with-suexec-xxxxx option has to be provided together with the --enable-suexec option to let APACI accept your request for using the suEXEC feature."
from
http://httpd.apache.org/docs/2.2/suexec.html
This task depends upon

Closed by  Aaron Griffin (phrakture)
Wednesday, 09 July 2008, 16:23 GMT
Reason for closing:  Deferred
Comment by Glenn Matthys (RedShift) - Sunday, 17 December 2006, 22:55 GMT
Oh crap just saw I forgot to select the right category, this should belong in Packages: current. Sorry.
Comment by Niel Drummond (cyanescent) - Friday, 18 May 2007, 21:15 GMT
I'm not sure I'd want my apache instance running in suexec mode (shouldn't this be something you could do with abs?). I was actually quite disappointed that apache installs with the nobody account. this has traditionally been a popular attack vector.
Comment by Glenn Matthys (RedShift) - Friday, 17 August 2007, 18:18 GMT
Suexec isn't enabled by default, you have to configure apache to use it. So it's pretty safe :-) I don't see how the nobody user can be abused: it has no shell and therefore can't login, plus there are no files owned by nobody by default.
Comment by Niel Drummond (cyanescent) - Friday, 17 August 2007, 21:03 GMT
yes of course, the issues come when another maintainer chooses nobody, writes his pid file as nobody, and lets a vulnerability close up your apache process. Or maybe a php dev writes his scripts as nobody.. it's just a bad practice, not a golden rule.
Comment by Aaron Griffin (phrakture) - Thursday, 19 June 2008, 18:13 GMT
Pierre, are you ok with closing this?

Loading...