Hi
Fairly new to this so please bear with me.
I have made a few patches so it will be possible to circumvent some
restrictions on suEXEC.
1. The file must not have g+w on it.
2. The directory must not have g+w on it.
As a web-hotel systemsadministrator I have found this not be a very
practical solution.
So I made a patch in /src/support/suexec.c that avoided the check for g+w
on dir and file.
I created a SUEXEC_GROUPWRITE define for this purpose.
Also hacked the /configure � script and /Makefile.tmpl to make it
possible to configure this by those means.
./configure -�suexec-groupwrite # With other commands too naturally
Diffs are generated on 1.3.20.
Is this of any interest to the development of the server?
diff src/support/suexec.c.old src/support/suexec.c
528a529,531
> #ifdef SUEXEC_GROUPWRITE
> if ((dir_info.st_mode & S_IWOTH)) {
> #else
529a533
> #endif
544a549,551
> #ifdef SUEXEC_GROUPWRITE
> if ((prg_info.st_mode & S_IWOTH)) {
> #else
545a553
> #endif
diff configure.old configure
72c72
< ##
---
> #
250a251
> suexec_groupwrite=0
466a468
> echo " --suexec-groupwrite allow suEXEC with group-writable
access"
999a1002,1005
> --suexec-groupwrite)
> suexec_groupwrite=1
> suexec_ok=1
> ;;
1318a1325
> -e "s%@suexec_groupwrite@%$suexec_groupwrite%g" \
diff Makefile.tmpl.old Makefile.tmpl
140a141
> suexec_groupwrite = @suexec_groupwrite@
207a209
> -DSUEXEC_GROUPWRITE=\"$(suexec_groupwrite)\" \
Might have missed some security-considerations here.
As I see it. You often upload scripts with 775-mode on them. Also a good
sysadmin will see to it that the web-tree has the group of the web-site.
So that not the group "user" will be used or the like.
Please send me any comments. And if it will be possible to implement into
a new server?
Best regards
Per-Olof Pettersson
