Apache suexec is built with a MIN_UID of 1000, so that UIDs lower than this can't run CGI scripts. This keeps CGI scripts well away from system accounts. Problem is, enewuser can only create system accounts. The attached patch fixes this. enewgrp is OK since suexec's MIN_GID is 100 at present. Reproducible: Always Steps to Reproduce:
Created attachment 69419 [details, diff] eutils patch
*** This bug has been marked as a duplicate of 53269 ***
That wasn't exactly the response I expected. It is impossible to install a web application and guarantee its security without being able to create the user account and then run chown during installation. The patch is trivial and tested. To reject it implies to me that enewuser is deliberately crippled. But why? And why is that situation the better of the two evils?
because enewuser creates system accounts, not user accounts
I guess that leaves a couple of possibilities: - this is a duplicate of http://bugs.gentoo.org/show_bug.cgi?id=55603 (somehow lower MIN_UID) - use useradd instead of enewuser, which is a source of bugzilla entries in itself... *** This bug has been marked as a duplicate of 55603 ***
watch bug 66397 - that's the bug I'm using as a tracker for changing the options of suexec - now that apache is mostly settled down, I'll be looking into this in more detail.