Bug#785740: apache2-suexec-custom always reads www-data config
Package: apache2-suexec-custom
Version: 2.4.10-10
The apache2-suexec-custom manpage says that suexec will read the calling user's /etc/apache2/suexec/username configuration file. Unfortunately, the calling user is always www-data, so it always ends up reading /etc/apache2/suexec/www-data regardless of the owner of the script being executed.
I think this is because the configuration filename is obtained by
asprintf(&filename, SUEXEC_CONFIG_DIR "%s", pw->pw_name)
where pw comes from
uid = getuid();
if ((pw = getpwuid(uid)) == NULL) {
right at the beginning of main() when uid is still that of www-data. It should be obtained from target_uname instead.
$ uname -v
#1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24)
Reply to: