The "NoNewPrivileges=true" line added to /usr/lib/systemd/system/apache2.service causes internal server errors on suexec pages. There are also setgid errors like the following in /var/log/apache2/suexec_log:
[2016-11-20 14:02:42]: uid: (65000/wces) gid: (65000/wces) cmd: php
[2016-11-20 14:02:42]: failed to setgid (65000: php)
I think it would be good to have a warning in the ebuild about incompatibility with systemd when the suexec USE flag is enabled.
I also think it would be good to add a comment to the apache2.service file mentioning that the NoNewPrivileges=true line is incompatible with suexec.
(See also bug 586984 which added hardening and bug 595086 which reported a similar PHP breakage.)
I ran into the exact same thing yesterday, it's still an issue even with latest apache 2.4.
Adding an override.conf with NoNewPrivileges=false makes suexec work.
Maybe the systemd unit should be sed-patched when suexec is enabled?
*** Bug 750470 has been marked as a duplicate of this bug. ***
The only hardening option set in Fedora is
I would then simply drop all the other extra hardening to prevent problems like this.
I know systemd is low priority, but given the relative simplicity of this change and the fact that it's almost 5 years old, can we get a fix? It's annoying having Apache break on every upgrade.