Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 107514 - [PATCH] let enewuser use a UID suitable for apache suexec
Summary: [PATCH] let enewuser use a UID suitable for apache suexec
Status: RESOLVED DUPLICATE of bug 55603
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core - Ebuild Support (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Portage team
Depends on:
Reported: 2005-09-28 07:53 UTC by 0g
Modified: 2005-09-28 17:35 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

eutils patch (enewuser.diff,1.50 KB, patch)
2005-09-28 07:54 UTC, 0g
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description 0g 2005-09-28 07:53:14 UTC
Apache suexec is built with a MIN_UID of 1000, so that UIDs lower than this can't run CGI scripts. This 
keeps CGI scripts well away from system accounts. Problem is, enewuser can only create system 
accounts. The attached patch fixes this. enewgrp is OK since suexec's MIN_GID is 100 at present.

Reproducible: Always
Steps to Reproduce:
Comment 1 0g 2005-09-28 07:54:17 UTC
Created attachment 69419 [details, diff]
eutils patch
Comment 2 SpanKY gentoo-dev 2005-09-28 07:58:45 UTC

*** This bug has been marked as a duplicate of 53269 ***
Comment 3 0g 2005-09-28 08:17:38 UTC
That wasn't exactly the response I expected. It is impossible to install a web application and guarantee 
its security without being able to create the user account and then run chown during installation.

The patch is trivial and tested. To reject it implies to me that enewuser is deliberately crippled. But why? 
And why is that situation the better of the two evils?
Comment 4 SpanKY gentoo-dev 2005-09-28 08:19:56 UTC
because enewuser creates system accounts, not user accounts
Comment 5 0g 2005-09-28 08:29:16 UTC
I guess that leaves a couple of possibilities:

- this is a duplicate of (somehow lower MIN_UID)
- use useradd instead of enewuser, which is a source of bugzilla entries in itself...

*** This bug has been marked as a duplicate of 55603 ***
Comment 6 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-09-28 17:35:02 UTC
watch bug 66397 - that's the bug I'm using as a tracker for changing the options
of suexec - now that apache is mostly settled down, I'll be looking into this in
more detail.