# suexec  failed to setgid

## zBrain

I can't figure this one out.

-The group exists

```
 # filecap /usr/sbin/suexec

file                 capabilities

/usr/sbin/suexec     setgid, setuid

```

```
 # ls -l /usr/sbin/suexec

-rws--x--- 1 root apache 18680 Sep  5 15:46 /usr/sbin/suexec

```

Use flag suexec-caps is turned on. The cgi binary meets all the criteria from suexec -V

Any ideas?

----------

## zBrain

So it turns out it had something to do with systemd. I had switched to it just to try it. Everything else seemed fine. Switching back to OpenRC fixed it.

Anybody have a guess why this might be?

----------

## Hu

What security features did systemd enable when it started apache?  Did it set no-new-privs?

----------

## zBrain

How do I check?

----------

## Hu

grep NoNewPrivs /proc/pid-of-affected-process/status

----------

## zBrain

Necroing my own thread. I have come back to a situation where I need systemd and in searching this issue I found my own thread.

I also found this:

https://forums.gentoo.org/viewtopic-t-1089193-start-0.html

So, I can work around it.

I did file a bug https://bugs.gentoo.org/750470

Just posting this for future people who may search for this issue (which may be future me!)

----------

