fix #716621 - suexec now works without setuid bit

httpd-2.2.9-suenable.patch

@@ -1,13 +1,20 @@
+Removes setuid check because we are now using capabilities to ensure proper
+suexec rights.
 
-Upstream-Status: in trunk, differently
+Upstream-status: Not acceptable for upstream in current status.
+suexec_enabled part is in trunk,differently
 
---- httpd-2.2.9/os/unix/unixd.c.suenable
-+++ httpd-2.2.9/os/unix/unixd.c
-@@ -215,7 +215,7 @@ AP_DECLARE(void) unixd_pre_config(apr_po
+diff --git a/os/unix/unixd.c b/os/unix/unixd.c
+index 85d5a98..1ee1dfe 100644
+--- a/os/unix/unixd.c
++++ b/os/unix/unixd.c
+@@ -271,8 +271,8 @@ AP_DECLARE(void) unixd_pre_config(apr_pool_t *ptemp)
+         return;
      }
  
-     if ((wrapper.protection & APR_USETID) && wrapper.user == 0) {
+-    if ((wrapper.protection & APR_USETID) && wrapper.user == 0) {
 -        unixd_config.suexec_enabled = 1;
++    if (wrapper.user == 0) {
 +        unixd_config.suexec_enabled = access(SUEXEC_BIN, R_OK|X_OK) == 0;
      }
  }

httpd.spec

@@ -8,7 +8,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.2.19
-Release: 2%{?dist}
+Release: 3%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
 Source1: index.html
@@ -452,7 +452,8 @@ rm -rf $RPM_BUILD_ROOT
 %{_sbindir}/ht*
 %{_sbindir}/apachectl
 %{_sbindir}/rotatelogs
-%caps(cap_setuid,cap_setgid+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
+# cap_dac_override needed to write to /var/log/httpd
+%caps(cap_setuid,cap_setgid,cap_dac_override+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
 
 %dir %{_libdir}/httpd
 %dir %{_libdir}/httpd/modules
@@ -511,6 +512,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/httpd/build/*.sh
 
 %changelog
+* Wed Jul 20 2011 Jan Kaluza <jkaluza@redhat.com> - 2.2.19-3
+- fix #716621 - suexec now works without setuid bit
+
 * Thu Jul 14 2011 Jan Kaluza <jkaluza@redhat.com> - 2.2.19-2
 - fix #689091 - backported patch from 2.3 branch to support IPv6 in logresolve