I installed apache20 package with : # pkg_add -r apache20 Everything is working fine but suEXEC. If the module is loaded without any additional options, it works. But, if I try to set the SuexecUserGroup option in a vhost, this is what I get when I run apachectl -t : Warning: SuexecUserGroup directive requires SUEXEC wrapper. Syntax OK So, I checked suEXEC with : # /usr/local/sbin/suexec -V -D AP_DOC_ROOT="/usr/local/www/data" -D AP_GID_MIN=1000 -D AP_HTTPD_USER="www" -D AP_LOG_EXEC="/var/log/httpd-suexec.log" -D AP_SAFE_PATH="/usr/local/bin:/usr/local/bin:/usr/bin:/bin" -D AP_UID_MIN=1000 -D AP_USERDIR_SUFFIX="public_html" The AP_SAFE_PATH is wrong. Fix: The AP_SAFE_PATH should be set (at least) like this : "/usr/local/bin:/usr/local/sbin:/usr/bin:/bin" to include the /usr/local/sbin directory which contains the suEXEC binary. On my personal machine I copied suEXEC (with -p argument) to /usr/local/bin and ran apachectl -t : Syntax OK No warning about suEXEC.
Responsible Changed From-To: freebsd-bugs->clement Make this a ports PR and assign.
Responsible Changed From-To: clement->apache apache team
State Changed From-To: open->suspended stalled the docs on httpd.apache.org clearly say sbin and thats where suexec is installed. FreeBSD doesn't mod this. SBIN is intentionally omitted b/c its the default location for things like visudo and sudo which is a GAPING SECURITY HOLE. You'll have to collaborate with dev@httpd and someone much more up on security then little old me.
State Changed From-To: suspended->closed www/apache20 will be gone once www/apache24 hits. no further non cve patches here