Package: apache2-suexec-custom
Version: 2.4.10-10
The apache2-suexec-custom manpage says that suexec will read the calling user's
/etc/apache2/suexec/username configuration file. Unfortunately, the calling
user is always www-data, so it always ends up reading
/etc/apache2/suexec/www-data regardless of the owner of the script being
executed.
I think this is because the configuration filename is obtained by
asprintf(&filename, SUEXEC_CONFIG_DIR "%s", pw->pw_name)
where pw comes from
uid = getuid();
if ((pw = getpwuid(uid)) == NULL) {
right at the beginning of main() when uid is still that of www-data. It should
be obtained from target_uname instead.
$ uname -v
#1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24)
--
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/trinity-0acd157b-9665-4b04-aaba-8198609a8f5d-1432060794490@3capp-webde-bs24
