Jorge Schrauwen wrote:
... if we had a config finalize, modules who were prepared to declare
their config (e.g. mod_vhost declaring the per-host directory merges
"completed") then as-root, we can finish these out, opening logs with
full privileges. Other merges will happen at run time (or be optimized
when we can accomplish this) per-request.
So does a setup like this make it possible for the processes/thread
handling the request to change to the correct UID/GID before
reading/writing files? Just something that popped into my head when
reading this.
No. Once the httpd engine finishes the config phase altogether, we
continue to drop from root to the desired UID/GID and that process
must not have the privilege to change these again. The request engine
... which is the container where exploits are targeted, must remain
secure.
