Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 303795 - Make it possible to disable parent directory owner check in www-apache/mod_suphp
Summary: Make it possible to disable parent directory owner check in www-apache/mod_suphp
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: High normal
Assignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-02-06 20:31 UTC by Candid Dauth
Modified: 2012-12-15 17:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Patch on the sources to add the new configuration value. (mod_suphp-0.7.1-parent-directory-ownership.patch,4.14 KB, patch)
2010-02-06 20:35 UTC, Candid Dauth 		Details | Diff
Patch on the ebuild to add the suphp patch. (mod_suphp-0.7.1-parent-directory-ownership-ebuild.patch,626 bytes, patch)
2010-02-06 20:38 UTC, Candid Dauth 		Details | Diff
Patch on the default config file to add the new setting. (mod_suphp-0.7.1-parent-directory-ownership-config.patch,428 bytes, patch)
2010-02-06 20:39 UTC, Candid Dauth 		Details | Diff
Patch on the sources to add the new configuration value. (mod_suphp-0.7.1-parent-directory-ownership.patch,3.57 KB, patch)
2010-02-06 21:15 UTC, Candid Dauth 		Details | Diff
Patch on the default config file to add the new setting. (mod_suphp-0.7.1-parent-directory-ownership-config.patch,454 bytes, patch)
2010-02-06 21:16 UTC, Candid Dauth 		Details | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Candid Dauth 2010-02-06 20:31:35 UTC 
mod_suphp 0.6.3 introduced a new “security” feature that checks the parent directory of an executed file to match the file’s owner. This is undesirable in many cases. I have found a patch to add a new configuration parameter for this on http://bashcurescancer.com/media/suphp-0.6.3-parent-directory-ownership.patch and changed it to be applicable for mod_suphp-0.7.1.

Reproducible: Always

Steps to Reproduce:
Comment 1 Candid Dauth 2010-02-06 20:35:24 UTC 
Created attachment 218719 [details, diff]
Patch on the sources to add the new configuration value.
Comment 2 Candid Dauth 2010-02-06 20:38:19 UTC 
Created attachment 218721 [details, diff]
Patch on the ebuild to add the suphp patch.
Comment 3 Candid Dauth 2010-02-06 20:39:58 UTC 
Created attachment 218725 [details, diff]
Patch on the default config file to add the new setting.
Comment 4 Candid Dauth 2010-02-06 21:15:04 UTC 
Created attachment 218743 [details, diff]
Patch on the sources to add the new configuration value.

I updated the patch on the sources, the old one did not quite do what I thought it did. This one definitely works for me.
Comment 5 Candid Dauth 2010-02-06 21:16:48 UTC 
Created attachment 218745 [details, diff]
Patch on the default config file to add the new setting.

I updated the patch on the config file to better describe the setting.
Comment 6 Doktor Notor 2010-02-21 21:46:59 UTC 
As you noted, this has been like this since 0.6.3, released 2008-03-30 - that's just short of two years (!). Similar patches which affect important security features need to be taken upstream - https://lists.marsching.com/mailman/listinfo/suphp, otherwise you end up with shopping something that is completely unsupported by upstream and forward-porting all that unsupported stuff from version to version when it breaks.
Comment 7 Candid Dauth 2010-02-27 19:23:04 UTC 
I agree with you, but obviously the suphp developers don’t have any interest in including this patch (as I found it on that mailing list, and similar ones have been posted there many times). In my opinion, this “security feature” is a bug, and I think it should be fixed somewhere.

I don’t understand what you are trying to tell me by pointing out that this “feature” has been introduced in 2008. 0.6.2 has been removed from the Portage tree last September, and updating completely breaks many existing configurations.
Comment 8 Pacho Ramos gentoo-dev 2012-12-15 17:41:01 UTC 
This needs to be fixed by upstream