On Sun, Aug 05, 2012 at 11:05:59AM -0400, Jeff Trawick wrote: > Great! I'll do something about the remaining patch "before long".
When the time comes, do we have any hopes of getting this back from trunk to 2.4, or would it need to wait for 2.6/3.0? FWIW, the mpm-itk security hardening that was discussed (running with uid != 0, and limiting setuid/setgid ranges through seccomp) is starting to come quite nicely along, although the problem of initgroups() remains (a rogue process with CAP_SETGID can add any supplementary group it pleases, and seccomp is unable to check it), and there's been very limited user testing so far. I guess we can't get fully down to the level of prefork, but it can get pretty close. /* Steinar */ -- Homepage: http://www.sesse.net/
