Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 55603 - suexec2 for apache is compiled with a HIGH minuid!
Summary: suexec2 for apache is compiled with a HIGH minuid!
Status: VERIFIED DUPLICATE of bug 66397
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Apache Team - Bugzilla Reports
URL:
Whiteboard:
Keywords:
: 107514 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-06-29 11:57 UTC by Calin Culianu
Modified: 2005-09-28 08:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Calin Culianu 2004-06-29 11:57:23 UTC 
Why is it that suexec2 for apache2 is compiled with such a HIGH minimum uid of 1000?

(See the --with-suexec-uidmin=1000 compile-time option for apache2)

What is wrong with the default of 100, or better yet, 500 which is a pretty standard UID for the start of 'real' users.

While it may be that gentoo systems recommend real users begin at ID 1000, it is the case that a lot of NIS/NFS networked gentoo systems may have users with id's under 1000, as low as 500 (since that is the default in redhat, the most common distro out there).

Basically, when I try to run CGI scripts in apache2 from a userdir (~public_html), suexec2 fails because the minuid is not > 1000.  The default of 1000 is VERY bad as it breaks a lot of installations.  Why not go down to something like 500?


Reproducible: Always
Steps to Reproduce:
1. Emerge apache2
2. Have a user in your system with uid < 1000
3. Put a cgi script in ~/public_html for that user and watch it fail

Actual Results:
Comment 1 Calin Culianu 2004-07-02 04:00:02 UTC 
Any thoughts on this bug?  

I may not have been too clear in my description of the bug, but basically it is absolutely impossible to use apache2's suexec2 on a gentoo system for any user with a UID of less than 1000.  This is a major problem for people that want to run CGIs inside their UserDir (this is not uncommon).  That is because suexec2 is called automatically for requests to a CGI in a UserDir (~/public_html type of situations).  It is called even if the CGI in question doesn't have the set-uid bit set.  The authors of apache2 decided it was a good idea for all CGIs in a ~/public_html directory (but outside a cgi-bin directory) to run as the user to whom the CGIs belong.  This probably is convenient for a number of reasons, mainly having to do with file permissions.

However, on current gentoo systems, this is outright broken unless your UID is >1000.  UIDs <1000 for regular users are not at all uncommon, given that so many other distros start numbering their users at 400 or 500.

Note: Suexec2 is not used for /cgi-bin/ URLs, just CGIs that are in an apache UserDir..
Comment 2 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2004-10-08 23:36:05 UTC 
This bug is really just a subset of the issue of suexec options not being very configurable, which is being worked on in bug 66397.

*** This bug has been marked as a duplicate of 66397 ***
Comment 3 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-04-23 20:03:58 UTC 
Closing.
Comment 4 0g 2005-09-28 08:29:16 UTC 
*** Bug 107514 has been marked as a duplicate of this bug. ***