Bug#431048: suexec permissions are DANGEROUS
Package: apache2.2-common
Version: 2.2.3-4
Excuse me for being a little irate here but unless I'm being rather
stupid this morning, and I have asked for a second opinion, the default
permissions for suexec are not only wrong but very DANGEROUS. Andreas
Fuchs warned about this in the last message of #395828 but this message
was seemingly ignored. The permissions that were given on my new
amd64 Etch installation were...
-rwsr-xr-x 1 root root 12472 2007-03-27 14:03 /usr/lib/apache2/suexec
This allows ANYONE to run suexec as root. I can't believe this has
slipped through. As the Apache docs very clearly state over at
http://httpd.apache.org/docs/2.2/suexec.html, they should be set with...
chgrp www-data /usr/lib/apache2/suexec
chmod 4750 /usr/lib/apache2/suexec
Which would result in...
-rwsr-x--- 1 root www-data 12472 2007-03-27 14:03 /usr/lib/apache2/suexec
Now only www-data can run suexec as root. PLEASE fix this immediately.
Regards,
James
Reply to: