|Summary:||make install as privileged user creates files not owned by root|
|Product:||Apache httpd-2||Reporter:||Rodney Beede <business2008+issues.apache.org>|
|Component:||Build||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Description Rodney Beede 2014-03-12 18:22:53 UTC
When building apache from sources I perform the following commands as a non-privileged user: ./configure --with-included-apr make For the actual install into my PREFIX (/usr/local/apache2) I execute a privileged command of: sudo make install This results in binaries, files, and directories that are NOT owned by root as one might expect. Some example files (all not owned by root): /usr/local/apache2/bin/apachectl /usr/local/apache2/bin/envvars-std /usr/local/apache2/bin/dbmmanage /usr/local/apache2/bin/envvars /usr/local/apache2/bin/apxs /usr/local/apache2/cgi-bin/printenv /usr/local/apache2/cgi-bin/printenv.wsf /usr/local/apache2/cgi-bin/printenv.vbs /usr/local/apache2/cgi-bin/test-cgi Files inside /usr/local/apache2/icons/ /usr/local/apache2/error/include/ Suggestion 1: Modify the build scripts so when running make install any files or directories copied/created have the ownership and group membership set to the effective uid running the make install. Suggestion 2: At the end of make install echo a comment to remind the admin to check the permissions of all the files and directories in PREFIX or wherever they installed for secure values. Suggestion 3: Consider automatically setting the file and directory mode to be more restrictive (e.g. chmod -R o-rwx PREFIX) after the make install. Another option would be to provide a script or another make command that would optionally set locked down secure ownership and permissions. "make install --secure-permissions" or something similar perhaps.