Bug#153523: marked as done (apache: suEXEC has not been Debianised.)
Your message dated Thu, 26 Jun 2003 11:02:35 -0400
with message-id <E19VYGh-0004yq-00@auric.debian.org>
and subject line Bug#153523: fixed in apache 1.3.27.0-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Jul 2002 02:00:08 +0000
>From lh259@cam.ac.uk Thu Jul 18 21:00:08 2002
Return-path: <lh259@cam.ac.uk>
Received: from plum.csi.cam.ac.uk [131.111.8.3]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 17VN3v-0005yT-00; Thu, 18 Jul 2002 21:00:07 -0500
Received: from portal.acad.cai.cam.ac.uk ([131.111.136.6] ident=[nYkDH4lFFmgGGiOAwytzlMz7TvkjqmTz])
by plum.csi.cam.ac.uk with smtp (Exim 4.05)
id 17VN3p-0002Fu-00
for submit@bugs.debian.org; Fri, 19 Jul 2002 03:00:01 +0100
Received: (qmail 9426 invoked by uid 1001); 19 Jul 2002 01:59:52 -0000
Message-ID: <20020719015952.9425.qmail@portal.acad.cai.cam.ac.uk>
From: Liyang Hu <lh259@cam.ac.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache: suEXEC has not been Debianised.
X-Mailer: reportbug 1.50
Date: Fri, 19 Jul 2002 02:59:52 +0100
Delivered-To: submit@bugs.debian.org
Package: apache
Version: 1.3.26-0woody1
Severity: normal
Tags: patch
suEXEC seems to be enabled by default, yet it's defaults have not been
modified to reflect the fact that it's running on a Debian system, with
the consequence that it fails to work at all.
The patch below rectifies this issue. (While also closing #74228 and
#63217)
Cheers,
/Liyang
--- build-tree.orig/apache_1.3.26/src/support/suexec.8 Wed Mar 13 21:05:37 2002
+++ build-tree/apache_1.3.26/src/support/suexec.8 Fri Jul 19 02:26:37 2002
@@ -69,9 +69,11 @@
is the "wrapper" support program for the suexec behaviour for the
Apache HTTP server. It is run from within the server automatically
to switch the user when an external program has to be run under a
-different user. For more information about suexec, see the online
-document `Apache suexec Support' on the HTTP server project's
-Web site at http://httpd.apache.org/docs/suexec.html .
+different user. It fails should the external program (or the
+directory containing the program) be group or world writable. For
+the full description of the security model and more information
+about suexec, see the online document `Apache suexec Support' on the
+HTTP server project's Web site at http://httpd.apache.org/docs/suexec.html .
.SH OPTIONS
.IP -V
Display the list of compile-time settings used when \fBsuexec\fP
diff -ruN -x Makefile.in -x *~ -x build-tree.orig -x ap_ctx.[ch] -x ap_hook.[ch] -x ap_mm.[ch] -x os-inline.c -x os.h build-tree.orig/apache_1.3.26/src/support/suexec.h build-tree/apache_1.3.26/src/support/suexec.h
--- build-tree.orig/apache_1.3.26/src/support/suexec.h Wed Mar 13 21:05:37 2002
+++ build-tree/apache_1.3.26/src/support/suexec.h Fri Jul 19 01:45:13 2002
@@ -71,7 +71,7 @@
* this program.
*/
#ifndef HTTPD_USER
-#define HTTPD_USER "www"
+#define HTTPD_USER "www-data"
#endif
/*
@@ -79,7 +79,7 @@
* for suEXEC. For most systems, 500 or 100 is common.
*/
#ifndef UID_MIN
-#define UID_MIN 100
+#define UID_MIN 1000
#endif
/*
@@ -87,7 +87,7 @@
* for suEXEC. For most systems, 100 is common.
*/
#ifndef GID_MIN
-#define GID_MIN 100
+#define GID_MIN 1000
#endif
/*
@@ -121,7 +121,7 @@
* debugging purposes.
*/
#ifndef LOG_EXEC
-#define LOG_EXEC "/usr/local/apache/logs/cgi.log" /* Need me? */
+#define LOG_EXEC "/var/log/apache/suexec.log" /* Need me? */
#endif
/*
@@ -130,7 +130,7 @@
* that can be used for suEXEC behavior.
*/
#ifndef DOC_ROOT
-#define DOC_ROOT "/usr/local/apache/htdocs"
+#define DOC_ROOT "/usr/lib/cgi-bin"
#endif
/*
--- debian/README.Debian.orig Fri Jul 19 02:44:25 2002
+++ debian/README.Debian Fri Jul 19 02:39:50 2002
@@ -14,6 +14,18 @@
-- Johnie Ingram <johnie@netgod.net>, Thu, 10 Aug 2000 09:47:11 -0700
+* The suEXEC mechanism is enabled by default (contrary to what is stated
+ in the Apache documentation) -- for more details, see:
+
+ http://httpd.apache.org/docs/suexec.html
+
+ Should you wish to disable this feature, simply set up a local diversion
+ for /usr/lib/apache/suexec :
+
+ # dpkg-divert --local --divert /usr/lib/apache/suexec.disabled \
+ --rename /usr/lib/apache/suexec
+
+ -- Liyang HU <liyang@nerv.cx>, Fri, 19 Jul 2002 02:35:24 +0100
* This apache does not pass the HTTP_AUTHORIZATION CGI header
(i.e. -DSECURITY_HOLE_PASS_AUTHORIZATION was not defined), but
----End-of-Patch----
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux portal 2.4.17-xfs+lvm10+intl #2 Thu Feb 7 22:37:14 GMT 2002 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages apache depends on:
ii apache-common 1.3.26-0woody1 Support files for all Apache webse
ii dpkg 1.9.21 Package maintenance system for Deb
ii libc6 2.2.5-6 GNU C Library: Shared libraries an
ii libdb2 2:2.7.7.0-7 The Berkeley database routines (ru
ii libexpat1 1.95.2-6 XML parsing C library - runtime li
ii logrotate 3.5.9-8 Log rotation utility
ii mime-support 3.18-1 MIME files 'mime.types' & 'mailcap
ii perl 5.6.1-7 Larry Wall's Practical Extraction
ii perl [perl5] 5.6.1-7 Larry Wall's Practical Extraction
---------------------------------------
Received: (at 153523-close) by bugs.debian.org; 26 Jun 2003 15:08:53 +0000
>From katie@auric.debian.org Thu Jun 26 10:08:53 2003
Return-path: <katie@auric.debian.org>
Received: from auric.debian.org [206.246.226.45]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 19VYMm-0004zW-00; Thu, 26 Jun 2003 10:08:52 -0500
Received: from katie by auric.debian.org with local (Exim 3.35 1 (Debian))
id 19VYGh-0004yq-00; Thu, 26 Jun 2003 11:02:35 -0400
From: fabbione@fabbione.net (Fabio M. Di Nitto)
To: 153523-close@bugs.debian.org
X-Katie: $Revision: 1.34 $
Subject: Bug#153523: fixed in apache 1.3.27.0-2
Message-Id: <E19VYGh-0004yq-00@auric.debian.org>
Sender: Archive Administrator <katie@auric.debian.org>
Date: Thu, 26 Jun 2003 11:02:35 -0400
Delivered-To: 153523-close@bugs.debian.org
We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:
apache-common_1.3.27.0-2_i386.deb
to pool/main/a/apache/apache-common_1.3.27.0-2_i386.deb
apache-dev_1.3.27.0-2_i386.deb
to pool/main/a/apache/apache-dev_1.3.27.0-2_i386.deb
apache-doc_1.3.27.0-2_all.deb
to pool/main/a/apache/apache-doc_1.3.27.0-2_all.deb
apache-ssl_1.3.27.0-2_i386.deb
to pool/main/a/apache/apache-ssl_1.3.27.0-2_i386.deb
apache_1.3.27.0-2.diff.gz
to pool/main/a/apache/apache_1.3.27.0-2.diff.gz
apache_1.3.27.0-2.dsc
to pool/main/a/apache/apache_1.3.27.0-2.dsc
apache_1.3.27.0-2_i386.deb
to pool/main/a/apache/apache_1.3.27.0-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 153523@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabio M. Di Nitto <fabbione@fabbione.net> (supplier of updated apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 26 Jun 2003 15:31:43 +0200
Source: apache
Binary: apache-dev apache apache-common apache-doc apache-ssl
Architecture: source i386 all
Version: 1.3.27.0-2
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Fabio M. Di Nitto <fabbione@fabbione.net>
Description:
apache - Versatile, high-performance HTTP server
apache-common - Support files for all Apache webservers
apache-dev - Apache webserver development kit
apache-doc - Apache webserver docs
apache-ssl - Versatile, high-performance HTTP server with SSL support
Closes: 47395 63217 74228 129570 134691 144723 150612 153523 161639 175849 176061 176077 186574 190341 196945
Changes:
apache (1.3.27.0-2) unstable; urgency=low
.
* (Fabio M. Di Nitto)
- moved suexec from apache-common to apache
- ssl-certicate updated by Andrea Mennucci (Closes: #175849)
- added ssl-certicate man page (Closes: #129570)
- fixed a bunch of linda/lintian warnings
- update mime.types for ogg application (RFC3534)
- apache-ssl merge: now it will be built in sync with apache
- updated Debian standards to 3.5.10
- png icons are fixed at build time (Closes: #150612)
- do not restart apache in logrotate if it was not running before
(Closes: #134691)
- updated mod_eaccess to 2.3.3.9
(Closes: #190341)
- updated languages in httpd.conf (Closes: #144723)
Thanks to Pierfrancesco Caci <pf@caci.it> for the patch
- Closing bugs related to/fixed by NMU's (apache-ssl)
Normal (Closes: #176061, #176077)
* (Thom May)
- document suexec's default config
- stop copying suexec.{c,h} to /usr/share/doc/apache (Closes: #47395)
* (Tollef Fog Heen)
- Ask about suExec on install (closes: #161639, #153523, #63217)
- Bump MINUID in suexec.h to 1000 (closes: #74228)
- Get rid of /usr/doc/apache-ssl symlink
- Don't create /etc/apache{,-ssl}/conf symlink
- libmagic1 is now a dependency to support correctly mod_mime_magic,
also fix default path to magic file in httpd.conf.
(Closes: #186574)
- Postinst cleanup and factoring of common parts. Get rid of
pre-potato transition stuff. (Closes: #196945)
- Stop echoing in postrm, since it confuses debconf.
- Move adduser calls to apache-common also make the adduser and
addgroup calls non-conditional.
Files:
b7ae94153a77c08a97dc013d700cf2c0 842 web optional apache_1.3.27.0-2.dsc
5926b939a021a72c86afbd984bb57b06 435428 web optional apache_1.3.27.0-2.diff.gz
4785f02d9f45b67050c37142e54ec721 1037970 doc optional apache-doc_1.3.27.0-2_all.deb
3fc0196d46430a36dbb90a3f8134fb75 369808 web optional apache_1.3.27.0-2_i386.deb
e5c38bb783381723e9b999b25cd92a16 417236 web optional apache-ssl_1.3.27.0-2_i386.deb
1122e3194e876ebfd35f8db0504a8730 1621524 devel extra apache-dev_1.3.27.0-2_i386.deb
66d91dc5ad6ef5c05b6ef3b7cc4fa82f 780840 web optional apache-common_1.3.27.0-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE++wlNhCzbekR3nhgRAgQ8AJsEwfP86S4OZd5G/jQA8F76nacTVACfX1ft
LXFnwzwbtemG4RT0ztL0lT4=
=llfp
-----END PGP SIGNATURE-----
Reply to: