Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600292 - >=www-servers/apache-2.4.23-r1: systemd hardening breaks suexec
Summary: >=www-servers/apache-2.4.23-r1: systemd hardening breaks suexec
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Apache Team - Bugzilla Reports
URL:
Whiteboard: Patches are highly welcome
Keywords:
: 750470 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-11-20 14:30 UTC by Russell Yanofsky
Modified: 2021-09-12 03:45 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Russell Yanofsky 2016-11-20 14:30:14 UTC
The "NoNewPrivileges=true" line added to /usr/lib/systemd/system/apache2.service causes internal server errors on suexec pages. There are also setgid errors like the following in /var/log/apache2/suexec_log:

[2016-11-20 14:02:42]: uid: (65000/wces) gid: (65000/wces) cmd: php
[2016-11-20 14:02:42]: failed to setgid (65000: php)

I think it would be good to have a warning in the ebuild about incompatibility with systemd when the suexec USE flag is enabled.

I also think it would be good to add a comment to the apache2.service file mentioning that the NoNewPrivileges=true line is incompatible with suexec.

(See also bug 586984 which added hardening and bug 595086 which reported a similar PHP breakage.)
Comment 1 Timo Rothenpieler 2018-03-23 13:34:11 UTC
I ran into the exact same thing yesterday, it's still an issue even with latest apache 2.4.

Adding an override.conf with NoNewPrivileges=false makes suexec work.

Maybe the systemd unit should be sed-patched when suexec is enabled?
Comment 2 Pacho Ramos gentoo-dev 2021-02-12 09:20:00 UTC
*** Bug 750470 has been marked as a duplicate of this bug. ***
Comment 3 Pacho Ramos gentoo-dev 2021-02-12 14:28:35 UTC
The only hardening option set in Fedora is 
PrivateTmp=true

https://src.fedoraproject.org/rpms/httpd/blob/rawhide/f/httpd%40.service

I would then simply drop all the other extra hardening to prevent problems like this.
Comment 4 Nick Wiltshire 2021-09-12 03:43:26 UTC
I know systemd is low priority, but given the relative simplicity of this change and the fact that it's almost 5 years old, can we get a fix? It's annoying having Apache break on every upgrade.