Patching Apache’s Suexec Module
November 30th, 2007 Posted in Apache, LinuxApache’s suexec module is useful for running CGI and SSI scripts as a defined user. However all scripts must be located under the compiled in docroot and the uid/gid of the user running the script must match the script’s uid/gid.
This can be a problem if you have a shared CGI app like awstats as unless you make each user a copy the uid/gid will not match. Not to mention that the docroot on Fedora is /var/www so if you want to store your virtual hosts elsewhere your out of luck. Not to worry recompiling apache isn’t as hard as you might think.
Since we are modifying suexec there is always the potential that the modifications may cause a security hole. Proceed at your own risk!!
First we need to grab the httpd SRPM from FC5 updates
cd ~
wget http://mirrors.kernel.org/fedora/core/updates/5/SRPMS/httpd-2.2.2-1.3.src.rpm
Next we setup the RPM build area
fedora-buildrpmtree
Install the SRPM into the rpmbuild directory
rpm -ivh httpd-2.2.2-1.3.src.rpm
Grab the suexec no UID/GID check patch
cd rpmbuild/SOURCES
wget http://www.excalibur-partners.com/wp-content/uploads/2007/11/suexec_nocheck.patch
Modify the docroot
cd ~/rpmbuild/SPECS
vim httpd.spec
Line 192:
- --with-suexec-docroot=%{contentdir} \
+ --with-suexec-docroot=/ \
Modify the httpd.spec to include the patch
vim httpd.spec
Line 48:
Patch73: httpd-2.2.3-CVE-2007-3304.patch
+ Patch80: suexec_nocheck.patch
Line 131:
%patch73 -p1 -b .cve3304
+ %patch80 -p1 -b .nocheck
Now we can build the modified RPM
rpmbuild -ba httpd.spec
Instead of reinstalling apache I recommend just extracting and replacing the suexec file
cd ~/rpmbuild
rpm2cpio RPMS/`uname -p`/httpd-2.2.2-1.3.src.rpm | cpio -imVd ./usr/sbin/suexec
sudo cp -p /usr/sbin/suexec /usr/sbin/suexec.orig
sudo cp ./usr/sbin/suexec /usr/sbin/suexec
sudo chown root:apache /usr/sbin/suexec
sudo chmod 4510 /usr/sbin/suexec
1 Trackback(s)