Package: apache2.2-common Version: 2.2.3-4 Excuse me for being a little irate here but unless I'm being rather stupid this morning, and I have asked for a second opinion, the default permissions for suexec are not only wrong but very DANGEROUS. Andreas Fuchs warned about this in the last message of #395828 but this message was seemingly ignored. The permissions that were given on my new amd64 Etch installation were...
-rwsr-xr-x 1 root root 12472 2007-03-27 14:03 /usr/lib/apache2/suexec This allows ANYONE to run suexec as root. I can't believe this has slipped through. As the Apache docs very clearly state over at http://httpd.apache.org/docs/2.2/suexec.html, they should be set with... chgrp www-data /usr/lib/apache2/suexec chmod 4750 /usr/lib/apache2/suexec Which would result in... -rwsr-x--- 1 root www-data 12472 2007-03-27 14:03 /usr/lib/apache2/suexec Now only www-data can run suexec as root. PLEASE fix this immediately. Regards, James -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
