> If Apache behaves like this, it's a security issue, especially if > it occurs together with SuexecUserGroup. Non-privileged processes > can intercept HTTP requests and impersonate the web server process.
mod_cgi closes the socket (I checked 2.2) so it is only an issue with mod_php. AFAIK mod_php has no facility to change the uid, so it is no security issue: As long as the uid stays the same, the spawned process can ptrace the apache process and do anything it wants anyway. Maybe one could check fastcgi as well. But if the missing close-on-exec breaks restart in some cases, it should probably be fixed in apache itself. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
