Bug#223902: apache: suexec is built with www instead of www-data as user

To: Brian McGroarty <brian@skittlebrau.org>, 223902@bugs.debian.org
Subject: Bug#223902: apache: suexec is built with www instead of www-data as user
From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Date: Mon, 15 Dec 2003 17:26:36 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.58.0312151725540.4210@trider-g7.ext.fabbione.net>
Reply-to: Fabio Massimo Di Nitto <fabbione@fabbione.net>, 223902@bugs.debian.org
In-reply-to: <[🔎] E1AVIdu-0006Dj-K7@eastbits.vm.jvds.com>
References: <[🔎] E1AVIdu-0006Dj-K7@eastbits.vm.jvds.com>

Hi Brian,
	thanks for reporting. I have the fix ready in CVS. I expect to
upload a new version within today or tomorrow.

Fabio

On Sat, 13 Dec 2003, Brian McGroarty wrote:

> Package: apache
> Version: 1.3.29.0.1-1
> Severity: normal
> Tags: sid
>
> suexec is broken.
>
> /usr/lib/apache/suexec -V reports:
>  -D DOC_ROOT="/usr/local/apache/htdocs"
>  -D GID_MIN=100
>  -D HTTPD_USER="www"
>  -D LOG_EXEC="/var/log/apache/cgi.log"
>  -D SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
>  -D UID_MIN=1000
>  -D USERDIR_SUFFIX="public_html"
>
> The HTTPD_USER option should be www-data.
>
> This prevents the su mechanism from properly working, making all
> relevant cgi scripts fail with an internal server error.
>
> /var/log/apache/cgi.log shows for each:
>     crit: calling user mismatch (www-data instead of www)
>
>
> -- System Information:
> Debian Release: testing/unstable
> Architecture: i386
> Kernel: Linux eastbits 2.4.23-rc3-djc3-6um #2 Fri Nov 21 22:48:44 EST 2003 i686
> Locale: LANG=C, LC_CTYPE=C
>
> Versions of packages apache depends on:
> ii  apache-common               1.3.29.0.1-1 Support files for all Apache webse
> ii  debconf                     1.3.22       Debian configuration management sy
> ii  dpkg                        1.10.18      Package maintenance system for Deb
> ii  libc6                       2.3.2.ds1-10 GNU C Library: Shared libraries an
> ii  libdb4.1                    4.1.25-10    Berkeley v4.1 Database Libraries [
> ii  libexpat1                   1.95.6-6     XML parsing C library - runtime li
> ii  libmagic1                   4.06-1       File type determination library us
> ii  libpam0g                    0.76-14      Pluggable Authentication Modules l
> ii  logrotate                   3.6.5-2      Log rotation utility
> ii  mime-support                3.23-1       MIME files 'mime.types' & 'mailcap
> ii  perl [perl5]                5.8.2-2      Larry Wall's Practical Extraction
>
> -- debconf information:
> * apache/server-name: www.skittlebrau.org
> * apache/document-root: /var/www
> * apache/server-port: 80
> * apache/enable-suexec: true
> * apache/init: true
> * apache/server-admin: webmaster@skittlebrau.org
>
>
>
>

-- 
Our mission: make IPv6 the default IP protocol
"We are on a mission from God" - Elwood Blues

http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp00004.html

Reply to:

References:
- Bug#223902: apache: suexec is built with www instead of www-data as user
  - From: Brian McGroarty <brian@skittlebrau.org>

Prev by Date: Processed: Re: Bug#224035: apache: suexec compiled with uid>=1000, breaks internal systems
Next by Date: Bug#223810:
Previous by thread: Bug#223902: apache: suexec is built with www instead of www-data as user
Next by thread: Bug#223902: marked as done (apache: suexec is built with www instead of www-data as user)
Index(es):
- Date
- Thread