If I have understood this correctly, preserving the controlling tty like this allows an escalation from www-data to root. If, for example, I run "/etc/init.d/apache start" from a root shell which I don't close soon after, a resulting apache process running as www-data will share a controlling tty with a root shell. A remote compromise of that process can then just inject characters using TIOCSTI and execute commands as root. In my opinion, it's not immensely unreasonable to manually bring down apache and start it up again from a shell. Why is this bug still unresolved after so long? The current workaround is of course to immediately kill any terminal that has just invoked apache.
Richard -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
