When running an apache that was configured with suexec support as a non-root user the variable suexec_enabled is incorrectly set. The test should really check access(R_OK|X_OK) as well as for root ownership and the set uid bit. This patch fixes the problem and allows me to run the standard Fedora install of apache as myself and use mod_fcgid which relies on the correct setting of suexec_enabled. --- httpd-2.2.4/os/unix/unixd.c~ 2006-07-11 20:38:44.000000000 -0700 +++ httpd-2.2.4/os/unix/unixd.c 2007-04-19 21:33:43.000000000 -0700 @@ -215,7 +215,7 @@ } if ((wrapper.protection & APR_USETID) && wrapper.user == 0) { - unixd_config.suexec_enabled = 1; + unixd_config.suexec_enabled = access(SUEXEC_BIN, R_OK|X_OK) == 0; } }
Created attachment 20004 [details] A patch to fix suexec detection
I guess this is the problem code in fcgi: if (ap_unixd_config.suexec_enabled) { if (getuid() != 0) { ap_log_error(APLOG_MARK, APLOG_EMERG, 0, main_server, "mod_fcgid: current user is not root while suexec is enabled, exiting now"); exit(1); Why not just test getuid()==0 in unixd.c when setting suexec_enabled? That seems more direct than checking access to the suexec program.
(In reply to comment #2) > I guess this is the problem code in fcgi: Yes. > Why not just test getuid()==0 in unixd.c when setting > suexec_enabled? Because we are not running as root at this point even if the server was started by root. > That seems more direct than checking > access to the suexec program. I agree it seems odd, but I couldn't come up with either a lighter weight or more direct solution. It just runs once at module load time.
I wasn't sure when this code was run, but I tested it and if the server is started as root, it's still running as root at the time this code is executed. getuid() returns 0.
(In reply to comment #4) > I wasn't sure when this code was run, but I tested it and if the server is > started as root, it's still running as root at the time this code is executed. > getuid() returns 0. Looks like I was wrong about that; I get 0 in my setup too, so using getuid() should be fine.
I think the reason I did access() instead of getuid() was that it was the more direct. If someone didn't install susexec with the suid bit set, then the access() would notice that whereas the getuid() wouldn't.
Would it help to get this fixed if I made a patch using getuid()?
Maybe someone who better understands what suexec_enabled is intended for can comment on whether the correct fix here is to get suexec_enabled turned off in this case, or whether fcgi should be making this check in the first place?
This patch is a one line "obvious" fix and has been applied to the trunk (2.3.3) for over and year and has been in Fedora for over two. It would be nice to see it make it into the stable branch at some point.
r791337
fixed in 2.4.1