| Summary: | >=www-servers/apache-2.4.23-r1: systemd hardening breaks suexec | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Russell Yanofsky <rey4> |
| Component: | Current packages | Assignee: | Apache Team - Bugzilla Reports <apache-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | cschieli, mehmet, nick, pacho, sam |
| Priority: | Normal | Keywords: | PATCH |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=595086 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | Patch to fix systemd unit file | ||
|
Description
Russell Yanofsky
2016-11-20 14:30:14 UTC
I ran into the exact same thing yesterday, it's still an issue even with latest apache 2.4. Adding an override.conf with NoNewPrivileges=false makes suexec work. Maybe the systemd unit should be sed-patched when suexec is enabled? *** Bug 750470 has been marked as a duplicate of this bug. *** The only hardening option set in Fedora is PrivateTmp=true https://src.fedoraproject.org/rpms/httpd/blob/rawhide/f/httpd%40.service I would then simply drop all the other extra hardening to prevent problems like this. I know systemd is low priority, but given the relative simplicity of this change and the fact that it's almost 5 years old, can we get a fix? It's annoying having Apache break on every upgrade. Still exists in apache-2.4.51.
In the ebuild exists this line:
systemd_newunit "${FILESDIR}/apache2.2-hardened.service" "apache2.service"
Perhaps we shouldn't be using the hardened file unless the hardened flag is set?
Either way a simple search and replace fixes it. Apache breaking on every upgrade is ridiculous.
(In reply to Pacho Ramos from comment #3) > The only hardening option set in Fedora is > PrivateTmp=true > > https://src.fedoraproject.org/rpms/httpd/blob/rawhide/f/httpd%40.service > > I would then simply drop all the other extra hardening to prevent problems > like this. I would do this by default following Fedora/RHEL (that is one of the most tested setups too with apache+systemd) For the extra hardening, I don't care about putting it behind a USE flag... Created attachment 771944 [details, diff]
Patch to fix systemd unit file
Still present in 2.4.53. Attaching a patch.
Still present in 2.4.54-r2 Previously attached patch still valid. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3719c65ae2577477396fb27c5e42847f1c70ca45 commit 3719c65ae2577477396fb27c5e42847f1c70ca45 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2022-07-27 09:40:40 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2022-07-27 09:43:20 +0000 www-servers/apache: fix systemd file Drop the duplicate PrivateTmp setting and remove the NoNewPrivileges=true setting since it causes issues with suexec and other distributions don't use this as part of their hardened configuration. Thanks to Nick Wiltshire for that patch that this is based on. Closes: https://bugs.gentoo.org/600292 Signed-off-by: Hans de Graaff <graaff@gentoo.org> www-servers/apache/apache-2.4.54-r6.ebuild | 259 +++++++++++++++++++++ .../apache/files/apache2.4-hardened.service | 25 ++ 2 files changed, 284 insertions(+) |
