Bug 60426 - suexec dosnt use AP_SAFE_PATH
Summary: suexec dosnt use AP_SAFE_PATH
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: support (show other bugs)
Version: 2.4.23
Hardware: All Solaris
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-28 10:00 UTC by kaempfer
Modified: 2016-11-28 10:00 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description kaempfer 2016-11-28 10:00:42 UTC
I compiled suexec with
# support/suexec -V
 -D AP_DOC_ROOT="/www"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="www"
 -D AP_LOG_EXEC="/var/apache2/2.4/logs/suexec_log"
 -D AP_SAFE_PATH="/usr/wwwbin"
 -D AP_UID_MIN=100
 -D AP_USERDIR_SUFFIX=".public_html"
#
But suexec dont use AP_SAFE_PATH, scripts from /usr/bin can execute from every user. A look at suexec.c shows, that AP_SAFE_PATH is without effect.

In apache2.2 it works.