Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 55603
Alias:
Product:
Component:
Status: CLOSED
Resolution: DUPLICATE of bug 66397
Assigned To: Apache Team - Bugzilla Reports <apache-bugs@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Calin Culianu <calin@ajvar.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 55603 depends on: Show dependency tree
Bug 55603 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.




View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-06-29 11:57 0000 
Why is it that suexec2 for apache2 is compiled with such a HIGH minimum uid of
1000?

(See the --with-suexec-uidmin=1000 compile-time option for apache2)

What is wrong with the default of 100, or better yet, 500 which is a pretty
standard UID for the start of 'real' users.

While it may be that gentoo systems recommend real users begin at ID 1000, it
is the case that a lot of NIS/NFS networked gentoo systems may have users with
id's under 1000, as low as 500 (since that is the default in redhat, the most
common distro out there).

Basically, when I try to run CGI scripts in apache2 from a userdir
(~public_html), suexec2 fails because the minuid is not > 1000.  The default of
1000 is VERY bad as it breaks a lot of installations.  Why not go down to
something like 500?


Reproducible: Always
Steps to Reproduce:
1. Emerge apache2
2. Have a user in your system with uid < 1000
3. Put a cgi script in ~/public_html for that user and watch it fail

Actual Results:

------- Comment #1 From Calin Culianu 2004-07-02 04:00:02 0000 ------- 
Any thoughts on this bug?  

I may not have been too clear in my description of the bug, but basically it is absolutely impossible to use apache2's suexec2 on a gentoo system for any user with a UID of less than 1000.  This is a major problem for people that want to run CGIs inside their UserDir (this is not uncommon).  That is because suexec2 is called automatically for requests to a CGI in a UserDir (~/public_html type of situations).  It is called even if the CGI in question doesn't have the set-uid bit set.  The authors of apache2 decided it was a good idea for all CGIs in a ~/public_html directory (but outside a cgi-bin directory) to run as the user to whom the CGIs belong.  This probably is convenient for a number of reasons, mainly having to do with file permissions.

However, on current gentoo systems, this is outright broken unless your UID is >1000.  UIDs <1000 for regular users are not at all uncommon, given that so many other distros start numbering their users at 400 or 500.

Note: Suexec2 is not used for /cgi-bin/ URLs, just CGIs that are in an apache UserDir..

------- Comment #2 From Michael Stewart (vericgar) (RETIRED) 2004-10-08 23:36:05 0000 ------- 
This bug is really just a subset of the issue of suexec options not being very
configurable, which is being worked on in bug 66397.

*** This bug has been marked as a duplicate of 66397 ***

------- Comment #3 From Elfyn McBratney (beu) (RETIRED) 2005-04-23 20:03:58 0000 ------- 
Closing.

------- Comment #4 From 0g 2005-09-28 08:29:16 0000 ------- 
*** Bug 107514 has been marked as a duplicate of this bug. ***
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug