Why is it that suexec2 for apache2 is compiled with such a HIGH minimum uid of 1000? (See the --with-suexec-uidmin=1000 compile-time option for apache2) What is wrong with the default of 100, or better yet, 500 which is a pretty standard UID for the start of 'real' users. While it may be that gentoo systems recommend real users begin at ID 1000, it is the case that a lot of NIS/NFS networked gentoo systems may have users with id's under 1000, as low as 500 (since that is the default in redhat, the most common distro out there). Basically, when I try to run CGI scripts in apache2 from a userdir (~public_html), suexec2 fails because the minuid is not > 1000. The default of 1000 is VERY bad as it breaks a lot of installations. Why not go down to something like 500? Reproducible: Always Steps to Reproduce: 1. Emerge apache2 2. Have a user in your system with uid < 1000 3. Put a cgi script in ~/public_html for that user and watch it fail Actual Results:
Any thoughts on this bug? I may not have been too clear in my description of the bug, but basically it is absolutely impossible to use apache2's suexec2 on a gentoo system for any user with a UID of less than 1000. This is a major problem for people that want to run CGIs inside their UserDir (this is not uncommon). That is because suexec2 is called automatically for requests to a CGI in a UserDir (~/public_html type of situations). It is called even if the CGI in question doesn't have the set-uid bit set. The authors of apache2 decided it was a good idea for all CGIs in a ~/public_html directory (but outside a cgi-bin directory) to run as the user to whom the CGIs belong. This probably is convenient for a number of reasons, mainly having to do with file permissions. However, on current gentoo systems, this is outright broken unless your UID is >1000. UIDs <1000 for regular users are not at all uncommon, given that so many other distros start numbering their users at 400 or 500. Note: Suexec2 is not used for /cgi-bin/ URLs, just CGIs that are in an apache UserDir..
This bug is really just a subset of the issue of suexec options not being very configurable, which is being worked on in bug 66397. *** This bug has been marked as a duplicate of 66397 ***
Closing.
*** Bug 107514 has been marked as a duplicate of this bug. ***