Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 107514

Summary: [PATCH] let enewuser use a UID suitable for apache suexec
Product: Portage Development Reporter: 0g <ft01>
Component: Core - Ebuild SupportAssignee: Portage team <dev-portage>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: eutils patch

Description 0g 2005-09-28 07:53:14 UTC 
Apache suexec is built with a MIN_UID of 1000, so that UIDs lower than this can't run CGI scripts. This 
keeps CGI scripts well away from system accounts. Problem is, enewuser can only create system 
accounts. The attached patch fixes this. enewgrp is OK since suexec's MIN_GID is 100 at present.

Reproducible: Always
Steps to Reproduce:
Comment 1 0g 2005-09-28 07:54:17 UTC 
Created attachment 69419 [details, diff]
eutils patch
Comment 2 SpanKY gentoo-dev 2005-09-28 07:58:45 UTC 

*** This bug has been marked as a duplicate of 53269 ***
Comment 3 0g 2005-09-28 08:17:38 UTC 
That wasn't exactly the response I expected. It is impossible to install a web application and guarantee 
its security without being able to create the user account and then run chown during installation.

The patch is trivial and tested. To reject it implies to me that enewuser is deliberately crippled. But why? 
And why is that situation the better of the two evils?
Comment 4 SpanKY gentoo-dev 2005-09-28 08:19:56 UTC 
because enewuser creates system accounts, not user accounts
Comment 5 0g 2005-09-28 08:29:16 UTC 
I guess that leaves a couple of possibilities:

- this is a duplicate of http://bugs.gentoo.org/show_bug.cgi?id=55603 (somehow lower MIN_UID)
- use useradd instead of enewuser, which is a source of bugzilla entries in itself...

*** This bug has been marked as a duplicate of 55603 ***
Comment 6 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-09-28 17:35:02 UTC 
watch bug 66397 - that's the bug I'm using as a tracker for changing the options
of suexec - now that apache is mostly settled down, I'll be looking into this in
more detail.