apache2-suexec-custom changes permissions on suexec binary

Bug #897120 reported by Nick_Hill on 2011-11-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Medium
Unassigned

Bug Description

I have a server where the group ID for the suexec binary is set to other than www-data.

Whenever an update occurs, all web sites with scripting which depend on suexec break. This can happen at any time as I have automatic updates enabled. Once I receive complaints, I must log in and re-set the GID on /var/lib/apache2/suexec

I consider the group ID on the suexec binary as a system setting. This system setting is wiped on update.

Please change the package scripts so that they preserve the ownership and permissions on suexec.

Description: Ubuntu 10.04.3 LTS
Release: 10.04

apache2-suexec-custom:
  Installed: 2.2.14-5ubuntu8.7
  Candidate: 2.2.14-5ubuntu8.7

Related branches

CVE References

Changed in apache2 (Ubuntu):
importance: Undecided → Medium
Stefan Fritsch (sf-sfritsch) wrote :

That's what dpkg-statoverride is for. I will mention that in the suexec man page.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.21-3ubuntu1

---------------
apache2 (2.2.21-3ubuntu1) precise; urgency=low

  * Merge from Debian testing. Remaining changes:
    - debian/{control, rules}: Enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles.
    - debian/control: Add bzr tag and point it to our tree
    - debian/apache2.py, debian/apache2.2-common.install: Add apport hook.
    - debian/control, debian/ask-for-passphrase, debian/config-dir/mods-available/ssl.conf:
      Plymouth aware passphrase dialog program ask-for-passphrase.

apache2 (2.2.21-3) unstable; urgency=medium

  * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
    reverse proxy configurations. (Similar to CVE-2011-3368, but different
    attack vector.)
  * Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
    via malicious .htaccess.
  * Mention dpkg-statoverride for changing permissions of suexec. LP: #897120
  * Fix broken link in docs. Closes: #650528
  * Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
    Thanks for your work in the past.
 -- Chuck Short <email address hidden> Fri, 09 Dec 2011 05:20:43 +0000

Changed in apache2 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers