Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 750470 - www-servers/apache-2.4.46 (/lib/systemd/system/apache2.service) breaks suexec
Summary: www-servers/apache-2.4.46 (/lib/systemd/system/apache2.service) breaks suexec
Status: RESOLVED DUPLICATE of bug 600292
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Lars Wendler (Polynomial-C) (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-20 20:04 UTC by Nick Wiltshire
Modified: 2021-02-12 09:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Wiltshire 2020-10-20 20:04:48 UTC 
The service file for apache2 with systemd sets the NoNewPrivs flag to true, which breaks suexec.

Perhaps it can be set to false if [suexec] is set.

I also have [suexec-caps] set true. I'm not sure if this is part of the issue.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-21 00:18:10 UTC 
Any logs you can provide, or similar...?
Comment 2 Nick Wiltshire 2020-10-21 00:29:34 UTC 
As of right now, you will get this in your suexec log (and get 500 errors):

[2020-10-20 13:37:18]: failed to setgid/initgroups (1000: php): Operation not permitted


Updating the service file and changing
NoNewPrivileges=true

to

NoNewPrivileges=false

and restarting apache fixes it.

If there's a more secure workaround it's probably preferable.

Also see:
https://forums.gentoo.org/viewtopic-t-1089193-start-0.html
Comment 3 Pacho Ramos gentoo-dev 2021-02-12 09:20:00 UTC 

*** This bug has been marked as a duplicate of bug 600292 ***