I promise to look deeply into this post 2.4.19 release.
> On Mar 19, 2016, at 1:09 PM, montt...@heavyspace.ca wrote:
>
> Since its been a while since this issue was mentioned, this patch allows
> Apache to suexec files by a different (but still restricted by UID) owner, to
> avoid the security issue where apache forces you to suexec to files it has
> full chmod access to.
>
> -------- Original Message --------
> Subject: suexec different-owner patch
> Date: 2016-03-04 18:33
> From: montt...@heavyspace.ca
> To: dev@httpd.apache.org
> Reply-To: dev@httpd.apache.org
>
> Here is my first try at a patch for my suggestion, modified from httpd
> 2.2.31. It works to my satisfaction, able to switch to a UID other than the
> file's owner, while still strictly matching the UID and GID of the file
> against known values. I make no guarantees of correctness or bug-freeness
> however. The changes are so simple though, I hope there's nothing flagrantly
> wrong.
>
> It uses another option, "SuexecFileGroup", which independently defines the
> specific user and group the file must belong to. If you don't define it, it
> defaults to the old behavior. I re-used suexec's own sanity checking on the
> new option where it seemed appropriate.
>
> Criticisms, please?<specialsuexec.patch.gz>