Bug 37564

Summary: Suggestion: mod_suexec SuexecUserGroup directive in the <Directory> section
Product: Apache httpd-2 Reporter: Daniel <dan1>
Component: mod_suexecAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement CC: apache-b6e, phpfpm1
Priority: P3 Keywords: PatchAvailable
Version: 2.4.10   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Patch to allow SuexecUserGroup in Directory context

Description Daniel 2005-11-19 11:08:19 UTC

This is not a bug but merely a suggestion.
I am trying to install some software and I realise that it would be beautiful 
to be able to define the SuexecUserGroup from the mod_suexec module not only 
in the VirtualHosts, but also in the <Directory> sections.
However, this should most probably be a feature for the httpd.conf ONLY, and 
not in the .htaccess, to avoid having people getting rights that they are not 
allowed to have.

Maybe there is another better way to do this, but my goal would be to be able 
to run CGIs with another user or group ID than apache. I don't like the 
<VirtualHost> mean to do that, because we cannot do an SSL connection if we 
have only one IP address. Therefore putting SuexecUserGroup in the <Directory> 
tag would be a great solution to overcome those problems, if there is not too 
many security concerns about it (I don't know).
We can see that problem typically when installing the 'sympa' mailing list 

Thanks for listening.
Comment 1 phpfpm1 2014-07-19 15:29:25 UTC
I updated the enhancement request in bugzilla, because 2.4.10 still doesn't have the feature. It has been asked in development mailing lists also: http://mail-archives.apache.org/mod_mbox/httpd-dev/201205.mbox/%3CCA+-XxSFMS0YRmZZitL0X-sgVGZBvxfZvrt57hH163DabrZ_N2g@mail.gmail.com%3E
Comment 2 phpfpm1 2014-07-26 08:56:44 UTC
I found a patch already created for that: https://www.mail-archive.com/dev@httpd.apache.org/msg17561.html. It was for apache 2.0, but probably mod_suexec code hasn't changed a lot.
Comment 3 phpfpm1 2014-09-11 10:13:32 UTC
Created attachment 32000 [details]
Patch to allow SuexecUserGroup in Directory context

Patch to fix the problem. SuexecUserGroup is allowed to be in Directory context with the patch.