Solaris 10 provides a mechanism for specifying fine-grained permissions that can be used in the case of suexec to avoid the requirement of having the suexec binary setuid. However, httpd will check for the setuid bit on startup, making this mechanism difficult to use (even though it works perfectly well). For example, after the setuid bit is removed from the suexec wrapper below, the suexec mechanism continues to work perfectly well, as the web server has permission to change effective uid at will due to the proc_setid privilege. Unfortunately, it is still necessary to set the setuid bit on the suexec wrapper as otherwise the mechanism is not enabled. $ id uid=80(www) gid=80:(webservd) $ ppriv -S $$ 5672: -pfsh flags = <none> E: basic,net_privaddr,proc_setid I: basic,net_privaddr,proc_setid P: basic,net_privaddr,proc_setid L: zone $ su - # chmod u+s /usr/apache2/bin/suexec # ^D $ apachectl start $ grep -i suexec /var/apache2/logs/error_log [Fri Apr 29 00:06:58 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/apache2/bin/suexec) $ su - # chmod u-s /usr/apache2/bin/suexec #
It is possible to do some things like this with other operating systems like FreeBSD 5 and Linux w/ SELinux. It would be nice if we could figure out someway of putting code that worked for all of them into APR.
CC myself on FreeBSD related bugs
I would suggest that mod_privileges (in trunk) supersedes this enhancement request (and indeed the need for suexec on solaris/opensolaris). Feel free to re-open if you disagree.