This appears to still be a problem under Apache 1.3.4. I'll restate: initgroups() is called to initialize supplementary groups for Apache, but when CGI scripts are exec'd a check is performed which prevents the use of those supplementary group privileges to exec() the script (unless MULTIPLE_GROUPS is defined). This is problematic because the script is still invoked with the supplementary groups defined, thus it can exec others using those privileges (that Apache couldn't).
My recommendation is to remove the supplementary groups using setgroups() after the fork() (unless MULTIPLE_GROUPS is defined). robs
