215358 – Invalid permission of file /usr/sbin/suphp

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 215358 - Invalid permission of file /usr/sbin/suphp

Summary: Invalid permission of file /usr/sbin/suphp

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	mod_suphp
Sub Component:
Version:	5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Andreas Thienemann
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FE7Target
TreeView+	depends on / blocked

Reported:	2006-11-13 17:23 UTC by adhisimon
Modified:	2007-11-30 22:11 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-03-10 21:38:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description adhisimon 2006-11-13 17:23:08 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.8) Gecko/20061108 Fedora/1.5.0.8-1.fc5 Firefox/1.5.0.8

Description of problem:
File /usr/sbin/suphp has wrong permission . It would prevent httpd create child process because it can not read and execute it because it prevent user/group other than root/root to read and execute it (httpd runs on apache/apache)

Version-Release number of selected component (if applicable):
mod_suphp-0.6.1-4.fc5

How reproducible:
Always


Steps to Reproduce:
1. Access a page served by mod_suphp


Actual Results:
It will get "Internal Server Error" message and httpd error log will contain:
Permission denied: couldn't create child process

Expected Results:
The page content show nicely

Additional info:
Single command to solve this problem is:
chmod o+rx /usr/sbin/suphp

Comment 1 Sitsofe Wheeler 2006-11-14 23:14:37 UTC

I believe a better solution is to ensure that suphp is in the apache group.

Comment 2 Sitsofe Wheeler 2006-11-18 18:58:09 UTC

Just to clarify, in the spec file I think:
%attr (4550, root, root) %{_sbindir}/suphp 
should be
%attr (4550, root, apache) %{_sbindir}/suphp

This means only root and apache will be able to run the setuid binary which is
the way that suexec does things too.

Comment 3 Andreas Thienemann 2007-03-10 21:38:43 UTC

Thx, package is updates as suggested in comment #2.

Note You need to log in before you can comment on or make changes to this bug.