Hello, How can we prevent zypper updates to change the permissions of /usr/sbin/suexec? We have an openSUSE 42.2 server with the latest ISPConfig. We need to keep the permissions for /usr/sbin/suexec to 4775, but the automatic zypper update keeps changing it to 0755. We overwrote the /etc/permissions files, but nevertheless, each update changes the permissions and apache won't restart. Note, we also took care that the web folder is writable only by the user (suexec is only secure if the document root doesn't contain files writeable by wwwrun. https://bugzilla.novell.com/show_bug.cgi?id=263789 andhttp://httpd.apache.org/docs/trunk/suexec.html)
Thank you Till. This will work, but I'm afraid than the update won't finish or newer files will be mixed up with old ones. In the last resort, we will need to make a script that check every minute if the apache status file contains "fail-state" and "suEXEC". Then run chmod 4755 /usr/sbin/suexec2 and systemctl restart apache2. Or to check the suexec permissions every minute, fix them and restart apache. But, do you know a way to run a script after the update? A simple "chkstat --system --set" after the update would solve my problem.
I'm sorry, I don't use OpenSUSE anymore, so I can't give you any yast specific details about how to prevent that it changes files.
Thank you Till. At the end we made a script running every minute (check-suexec.sh) from cron * * * * * /root/bin/check-suexec.sh >/dev/null 2>&1 check-suexec.sh #!/bin/bash apacheState=$(systemctl status apache2 | grep "failed state" | wc -l); if [ $apacheState -gt 0 ]; then suexecState=$(systemctl status apache2 | grep "suEXEC" | wc -l); if [ $suexecState -gt 0 ]; then chmod 4755 /usr/sbin/suexec2 systemctl restart apache2 date=$(date +"%Y-%m-%d %T") echo "["$date"] chmod executed" >> "/root/bin/check-suexec.log" fi fi
