Bug#431048: suexec permissions are DANGEROUS

To: submit@bugs.debian.org
Subject: Bug#431048: suexec permissions are DANGEROUS
From: James Le Cuirot <chewi@aura-online.co.uk>
Date: Fri, 29 Jun 2007 09:21:06 +0100
Message-id: <[🔎] 20070629092106.39161e62@rhapsody>
Reply-to: James Le Cuirot <chewi@aura-online.co.uk>, 431048@bugs.debian.org

Package: apache2.2-common
Version: 2.2.3-4

Excuse me for being a little irate here but unless I'm being rather
stupid this morning, and I have asked for a second opinion, the default
permissions for suexec are not only wrong but very DANGEROUS. Andreas
Fuchs warned about this in the last message of #395828 but this message
was seemingly ignored. The permissions that were given on my new
amd64 Etch installation were...

-rwsr-xr-x 1 root root 12472 2007-03-27 14:03 /usr/lib/apache2/suexec

This allows ANYONE to run suexec as root. I can't believe this has
slipped through. As the Apache docs very clearly state over at
http://httpd.apache.org/docs/2.2/suexec.html, they should be set with...

chgrp www-data /usr/lib/apache2/suexec
chmod 4750 /usr/lib/apache2/suexec

Which would result in...

-rwsr-x--- 1 root www-data 12472 2007-03-27 14:03 /usr/lib/apache2/suexec

Now only www-data can run suexec as root. PLEASE fix this immediately.

Regards,
James

Reply to:

Follow-Ups:
- Bug#431048: suexec permissions are DANGEROUS
  - From: Stefan Fritsch <sf@debian.org>

Prev by Date: Error: libphp4.so does not have a corresponding .info file.
Next by Date: Processed: severity of 431048 is important, tagging 431048
Previous by thread: Error: libphp4.so does not have a corresponding .info file.
Next by thread: Bug#431048: suexec permissions are DANGEROUS
Index(es):
- Date
- Thread