> 1. In order to do the setuid, the server would need to be running as > root during the request processing phase. Any bug in Apache request > processing would then open an instant root hole.
Yes, that's a major problem. > 2. If you setuid in such a way that you can get back to the original > root id, then there is no way to prevent your cgi/php script > from also > getting back to the original root id. In other words, to do this > safely, you need to completely give up the original privelges. Then > the process would need to die after serving the request. This would > make for an incredibly slow server. Obviously. I was under the - as it seems mistaken - impression that when the setuid'd process forks again (i.e. executes a CGI or an exec' command from PHP), it will inherit the EFFECTIVE, i.e. the dropped/user UID, not the real (root) one. > If you have enough resources, you can get > a similar > effect now by just running separate copies of apache for each > user. Not an option with several thousand users/domains. :)
