On Thu, Oct 07, 2004 at 12:51:36PM -0400, Alan Cox wrote: > On Thu, Oct 07, 2004 at 05:41:38PM +0100, Joe Orton wrote: > > > Your apache needs to have setfsuid rights, that is all > > > > Are you talking about capabilities or SELinux policy there? Does the > > capability bit not then allow children to setfsuid(0) and write files as > > root? > > You have control over how its inherited depending on whether you admit to > being capability aware or not. In the sane case you'd turn it off when > execing just as you make sure files all get closed. It's not CGI scripts which is the issue, the issue is whether or not an OpenSSL buffer overflow gives you remote root or just the privileges of the "apache" user as it currently does. joe
