On Sun, Aug 5, 2012 at 11:32 AM, Steinar H. Gunderson <[email protected]> wrote: > On Sun, Aug 05, 2012 at 11:05:59AM -0400, Jeff Trawick wrote: >> Great! I'll do something about the remaining patch "before long". > > When the time comes, do we have any hopes of getting this back from trunk to > 2.4, or would it need to wait for 2.6/3.0?
2.4.small-number > > FWIW, the mpm-itk security hardening that was discussed (running with uid != > 0, > and limiting setuid/setgid ranges through seccomp) is starting to come quite > nicely along, although the problem of initgroups() remains (a rogue process > with CAP_SETGID can add any supplementary group it pleases, and seccomp is > unable to check it), and there's been very limited user testing so far. > I guess we can't get fully down to the level of prefork, but it can get > pretty close. > > /* Steinar */ > -- > Homepage: http://www.sesse.net/ -- Born in Roswell... married an alien... http://emptyhammock.com/
