opensuse update keep changing suexec permissions

Discussion in 'ISPConfig 3 Priority Support' started by psszrh, Apr 3, 2017.

  1. psszrh

    psszrh New Member

    Hello,

    How can we prevent zypper updates to change the permissions of /usr/sbin/suexec?

    We have an openSUSE 42.2 server with the latest ISPConfig.
    We need to keep the permissions for /usr/sbin/suexec to 4775, but the automatic zypper update keeps changing it to 0755. We overwrote the /etc/permissions files, but nevertheless, each update changes the permissions and apache won't restart.

    Note, we also took care that the web folder is writable only by the user (suexec is only secure if the document root doesn't contain files writeable by wwwrun. https://bugzilla.novell.com/show_bug.cgi?id=263789 andhttp://httpd.apache.org/docs/trunk/suexec.html)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to make the file immutable with:

    chattr +i /usr/sbin/suexec
     
  3. psszrh

    psszrh New Member

    Thank you Till. This will work, but I'm afraid than the update won't finish or newer files will be mixed up with old ones.

    In the last resort, we will need to make a script that check every minute if the apache status file contains "fail-state" and "suEXEC".
    Then run chmod 4755 /usr/sbin/suexec2 and systemctl restart apache2.
    Or to check the suexec permissions every minute, fix them and restart apache.

    But, do you know a way to run a script after the update? A simple "chkstat --system --set" after the update would solve my problem.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I'm sorry, I don't use OpenSUSE anymore, so I can't give you any yast specific details about how to prevent that it changes files.
     
  5. psszrh

    psszrh New Member

    Thank you Till.
    At the end we made a script running every minute (check-suexec.sh) from cron
    * * * * * /root/bin/check-suexec.sh >/dev/null 2>&1

    check-suexec.sh

    #!/bin/bash

    apacheState=$(systemctl status apache2 | grep "failed state" | wc -l);

    if [ $apacheState -gt 0 ]; then
    suexecState=$(systemctl status apache2 | grep "suEXEC" | wc -l);
    if [ $suexecState -gt 0 ]; then
    chmod 4755 /usr/sbin/suexec2
    systemctl restart apache2
    date=$(date +"%Y-%m-%d %T")
    echo "["$date"] chmod executed" >> "/root/bin/check-suexec.log"
    fi
    fi
     

Share This Page