Package: apache2-suexec-custom Version: 2.4.10-10
The apache2-suexec-custom manpage says that suexec will read the calling user's /etc/apache2/suexec/username configuration file. Unfortunately, the calling user is always www-data, so it always ends up reading /etc/apache2/suexec/www-data regardless of the owner of the script being executed. I think this is because the configuration filename is obtained by asprintf(&filename, SUEXEC_CONFIG_DIR "%s", pw->pw_name) where pw comes from uid = getuid(); if ((pw = getpwuid(uid)) == NULL) { right at the beginning of main() when uid is still that of www-data. It should be obtained from target_uname instead. $ uname -v #1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/trinity-0acd157b-9665-4b04-aaba-8198609a8f5d-1432060794490@3capp-webde-bs24