Bug 108169

Summary: www/apache20 wrong AP_SAFE_PATH for suEXEC
Product: Ports & Packages Reporter: Bolinard Vincent <VInzstyle>
Component: Individual Port(s)Assignee: freebsd-apache (Nobody) <apache>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Bolinard Vincent 2007-01-20 23:10:16 UTC 
I installed apache20 package with :

# pkg_add -r apache20

Everything is working fine but suEXEC. If the module is loaded without any additional options, it works. But, if I try to set the SuexecUserGroup option in a vhost, this is what I get when I run apachectl -t :

Warning: SuexecUserGroup directive requires SUEXEC wrapper.
Syntax OK


So, I checked suEXEC with :

# /usr/local/sbin/suexec -V
 -D AP_DOC_ROOT="/usr/local/www/data"
 -D AP_GID_MIN=1000
 -D AP_HTTPD_USER="www"
 -D AP_LOG_EXEC="/var/log/httpd-suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=1000
 -D AP_USERDIR_SUFFIX="public_html"

The AP_SAFE_PATH is wrong.

Fix: 

The AP_SAFE_PATH should be set (at least) like this : "/usr/local/bin:/usr/local/sbin:/usr/bin:/bin" to include the /usr/local/sbin directory which contains the suEXEC binary.

On my personal machine I copied suEXEC (with -p argument) to /usr/local/bin and ran apachectl -t :

Syntax OK


No warning about suEXEC.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2007-01-21 02:12:56 UTC 
Responsible Changed
From-To: freebsd-bugs->clement

Make this a ports PR and assign.
Comment 2 Philip M. Gollucci freebsd_committer freebsd_triage 2008-12-27 20:29:10 UTC 
Responsible Changed
From-To: clement->apache

apache team
Comment 3 Philip M. Gollucci freebsd_committer freebsd_triage 2010-05-07 22:59:42 UTC 
State Changed
From-To: open->suspended

stalled 
the docs on httpd.apache.org clearly say sbin
and thats where suexec is installed.  FreeBSD doesn't mod this.
SBIN is intentionally omitted b/c its the default location for things
like visudo and sudo which is a GAPING SECURITY HOLE.  You'll have to collaborate
with dev@httpd and someone much more up on security then little old me.
Comment 4 Philip M. Gollucci freebsd_committer freebsd_triage 2012-02-08 04:54:53 UTC 
State Changed
From-To: suspended->closed

www/apache20 will be gone once www/apache24 hits. no further non cve 
patches here