Bug 56252 - make install as privileged user creates files not owned by root
Summary: make install as privileged user creates files not owned by root
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Build (show other bugs)
Version: 2.4.7
Hardware: PC Linux
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-12 18:22 UTC by Rodney Beede
Modified: 2014-03-12 18:23 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rodney Beede 2014-03-12 18:22:53 UTC
When building apache from sources I perform the following commands as a non-privileged user:

./configure --with-included-apr

make


For the actual install into my PREFIX (/usr/local/apache2) I execute a privileged command of:

sudo make install


This results in binaries, files, and directories that are NOT owned by root as one might expect.

Some example files (all not owned by root):


/usr/local/apache2/bin/apachectl
/usr/local/apache2/bin/envvars-std
/usr/local/apache2/bin/dbmmanage
/usr/local/apache2/bin/envvars
/usr/local/apache2/bin/apxs

/usr/local/apache2/cgi-bin/printenv
/usr/local/apache2/cgi-bin/printenv.wsf
/usr/local/apache2/cgi-bin/printenv.vbs
/usr/local/apache2/cgi-bin/test-cgi

Files inside  /usr/local/apache2/icons/

/usr/local/apache2/error/include/



Suggestion 1:

Modify the build scripts so when running make install any files or directories copied/created have the ownership and group membership set to the effective uid running the make install.


Suggestion 2:

At the end of make install echo a comment to remind the admin to check the permissions of all the files and directories in PREFIX or wherever they installed for secure values.


Suggestion 3:

Consider automatically setting the file and directory mode to be more restrictive (e.g. chmod -R o-rwx PREFIX) after the make install.

Another option would be to provide a script or another make command that would optionally set locked down secure ownership and permissions.  "make install --secure-permissions" or something similar perhaps.