I've created a patch for it, as I didn't have my question answered :)
From my point of view it's still secure, as it doesn't allow to set
SuexecUserGroup in .htaccess. I tested it and had no problems with it.
Please include it into the trunk if you think it's okay to add it.
=========================
--- httpd-2.4.10/modules/generators/mod_suexec.c.old 2011-12-05
01:08:01.000000000 +0100
+++ httpd-2.4.10/modules/generators/mod_suexec.c 2014-09-11
00:16:21.444000009 +0200
@@ -59,7 +59,7 @@
const char *uid, const char *gid)
{
suexec_config_t *cfg = (suexec_config_t *) mconfig;
- const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
+ const char *err = ap_check_cmd_context(cmd,
NOT_IN_LOCATION|NOT_IN_FILES);
if (err != NULL) {
return err;
@@ -116,7 +116,7 @@
{
/* XXX - Another important reason not to allow this in .htaccess
is that
* the ap_[ug]name2id() is not thread-safe */
- AP_INIT_TAKE2("SuexecUserGroup", set_suexec_ugid, NULL, RSRC_CONF,
+ AP_INIT_TAKE2("SuexecUserGroup", set_suexec_ugid, NULL,
RSRC_CONF|ACCESS_CONF,
"User and group for spawned processes"),
{ NULL }
};
=========================
Best regards,
Martynas Bendorius
On 8/1/14 1:36 PM, Martynas Bendorius wrote:
Just bringing the email up, it’s likely that mod_suexec developers missed the
email. Thank you! :)
—
Best Regards,
Martynas Bendorius
On Jul 18, 2014, at 12:53 AM, Martynas Bendorius <marty...@martynas.it> wrote:
Hello,
The following question hasn’t been answered in the dev list, so I’m trying to
ask it again here:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201205.mbox/%3cca+-xxsfms0yrmzzitl0x-sgvgzbvxfzvrt57hh163dabrz_...@mail.gmail.com%3E
:)
Would it be secure to use SuexecUserGroup inside Directory context? And is
there any reason why that is still not available? From our point of view, that
would provide more security, however, there might have been other
technical/security reasons why it is not available/supported yet. I’ve found
requests for that in 2005’s
https://issues.apache.org/bugzilla/show_bug.cgi?id=37564 and a patch written in
2003 https://www.mail-archive.com/dev@httpd.apache.org/msg17561.html.
Thank you for the answers!
—
Best Regards,
Martynas Bendorius