On Sun, Jul 22, 2012 at 09:57:18PM +0200, Stefan Fritsch wrote: > And if it gets secured to where a code execution exploit does not grant > full root rights, I would probably be in favor of including it with httpd.
I took a look using seccomp for this, and it would seem it is actually rather hard; you can limit setuid() and setgid() easily enough to a range (so that you'd typically exclude root, daemon and other low-uid stuff), but setgroups() takes in a pointer of supplementary gids to add. I can't find any good ways of looking into that list, so it would seem a rogue process could arbitrarily add any gid (like, 0) to its list. So it seems to be hard to properly restrict gid, but maybe restricting uid would already give a significant win? /* Steinar */ -- Homepage: http://www.sesse.net/