httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: mpm-itk and upstream Apache, once again
Date Sun, 05 Aug 2012 16:49:43 GMT
On Sun, Aug 5, 2012 at 11:32 AM, Steinar H. Gunderson
<sgunderson@bigfoot.com> wrote:
> On Sun, Aug 05, 2012 at 11:05:59AM -0400, Jeff Trawick wrote:
>> Great!  I'll do something about the remaining patch "before long".
>
> When the time comes, do we have any hopes of getting this back from trunk to
> 2.4, or would it need to wait for 2.6/3.0?

2.4.small-number

>
> FWIW, the mpm-itk security hardening that was discussed (running with uid != 0,
> and limiting setuid/setgid ranges through seccomp) is starting to come quite
> nicely along, although the problem of initgroups() remains (a rogue process
> with CAP_SETGID can add any supplementary group it pleases, and seccomp is
> unable to check it), and there's been very limited user testing so far.
> I guess we can't get fully down to the level of prefork, but it can get
> pretty close.
>
> /* Steinar */
> --
> Homepage: http://www.sesse.net/



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message