Bug#366124: apache2: should mark its listening socket close-on-exec
> If Apache behaves like this, it's a security issue, especially if
> it occurs together with SuexecUserGroup. Non-privileged processes
> can intercept HTTP requests and impersonate the web server process.
mod_cgi closes the socket (I checked 2.2) so it is only an issue with
mod_php.
AFAIK mod_php has no facility to change the uid, so it is no security
issue: As long as the uid stays the same, the spawned process can
ptrace the apache process and do anything it wants anyway.
Maybe one could check fastcgi as well. But if the missing
close-on-exec breaks restart in some cases, it should probably be
fixed in apache itself.
Reply to: