On 19 March 2016, [email protected] wrote: >Since its been a while since this issue was mentioned, this patch >allows >Apache to suexec files by a different (but still restricted by UID) >owner, to avoid the security issue where apache forces you to suexec to >files it has full chmod access to.
That patch builds on what I'd consider as a legacy feature. I have not used suexec for a long time: it is risky, and on the one recent-ish occasion when I wanted something like suexec, I also wanted to chroot() / jail() / otherwise separate the CGI application from the main system. httpd's users do sometimes need to have web content served using processes that have different privileges to httpd, and perhaps are also isolated from one another. suexec achieves some of this albeit not well. It feels to me as if some kind of FastCGI process manager, combined with a privileged helper, could be used to fill the gap that mpm_itk and suexec don't completely cover. I'll add to my To Do list (and maybe also Bugzilla) a task to see what already exists and document how to use that in place of suexec. If nothing out there already works, then my idea is to code that up as well. I wish I could say when I might get round to that, but the way if these things is that it's easy to start this kind of task and rather more difficult to complete them. As to whether to take the suggested patch: +0. I don't think it will make things worse; however, I don't feel qualified to comment on security-critical code. Tim -- Tim Bannister – [email protected]
