Bug#488821: apache2-suexec: suexec configuration change demands extensive system changes
On Tuesday 01 July 2008, Michael Alan Dorman wrote:
> Your decision to suddenly change the minimum userid that suexec
> will allow breaks existing installations of totally unrelated
> software.
Nearly every configuration change in apache will break some system
somewhere. That does not make this a critical bug.
> This represents a non-trivial amount of work for system
> administrators to ameliorate---coordinating the changing of a uid
> and some unknown quantity of files.
>
> Please reconsider this action.
Allowing suexec to change to random system users is bad from a
security point of view. Therefore the minimum uid of 100 should be
changed to some higher value. Now the question is if it is possible
to make that change in a less disrupting way. A compromise would be
to raise it to 200 and not 1000. This would exclude automatically
created system accounts on most systems and mean a significant gain
in security. Would this be helpful? Is the user you want to switch to
created by some Debian package or have you created it manually?
Reply to: