On Tuesday 01 July 2008, Michael Alan Dorman wrote: > Your decision to suddenly change the minimum userid that suexec > will allow breaks existing installations of totally unrelated > software.
Nearly every configuration change in apache will break some system somewhere. That does not make this a critical bug. > This represents a non-trivial amount of work for system > administrators to ameliorate---coordinating the changing of a uid > and some unknown quantity of files. > > Please reconsider this action. Allowing suexec to change to random system users is bad from a security point of view. Therefore the minimum uid of 100 should be changed to some higher value. Now the question is if it is possible to make that change in a less disrupting way. A compromise would be to raise it to 200 and not 1000. This would exclude automatically created system accounts on most systems and mean a significant gain in security. Would this be helpful? Is the user you want to switch to created by some Debian package or have you created it manually? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
