In article <c75a84166056c94f84d238a44af9f6ad277...@ausx10mpc103.amer.dell.com>, <paul_kon...@dell.com> wrote:
>But apache is security critical, isn't it? And it certainly is >threaded. Or are you applying the term "security critical" only to a >smaller set of components? Yes, but apache is designed to be threaded. login, su, and other pam users not necessarily. Typically programs "know" the closure of shared libraries that they can potentially use, and PAM breaks that model. The threaded/non-threaded case is a particularly nasty example, where a program might assume that it can use static storage and non-threaded interfaces (res_foo() instead of res_nfoo(), getdbfoo() instead of getdbfoo_r()) and then suddenly it finds itself in a threaded environment and potential heisen bugs. In the apache case these may effect only the apache user and whatever access it has, but login/su and other PAM users cases this leads to a complete system compromise. christos