+1
nsc
On 2014.09.11 22:16, Martynas Bendorius wrote:
I've created a patch for it, as I didn't have my question answered :)
From my point of view it's still secure, as it doesn't allow to set
SuexecUserGroup in .htaccess. I tested it and had no problems with it.
Please include it into the trunk if you think it's okay to add it.
=========================
--- httpd-2.4.10/modules/generators/mod_suexec.c.old 2011-12-05
01:08:01.000000000 +0100
+++ httpd-2.4.10/modules/generators/mod_suexec.c 2014-09-11
00:16:21.444000009 +0200
@@ -59,7 +59,7 @@
const char *uid, const char *gid)
{
suexec_config_t *cfg = (suexec_config_t *) mconfig;
- const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE);
+ const char *err = ap_check_cmd_context(cmd,
NOT_IN_LOCATION|NOT_IN_FILES);
if (err != NULL) {
return err;
@@ -116,7 +116,7 @@
{
/* XXX - Another important reason not to allow this in .htaccess
is that
* the ap_[ug]name2id() is not thread-safe */
- AP_INIT_TAKE2("SuexecUserGroup", set_suexec_ugid, NULL, RSRC_CONF,
+ AP_INIT_TAKE2("SuexecUserGroup", set_suexec_ugid, NULL,
RSRC_CONF|ACCESS_CONF,
"User and group for spawned processes"),
{ NULL }
};
=========================
Best regards,
Martynas Bendorius
