Drop elevated permissions when running processes under mod_mpmitk_setuid
Under MPM ITK and mod_mpmitk_setuid a substantial part of request processing is performed with elevated permissions, either under the UID of root or with capabilities which allow setuid.
Some of these permissions may "survive" the execve
syscall when starting the sub-process for ResolveEnvByProcess
.
These should be dropped as much as possible.
It is unclear which permissions survive (e.g. capabilities should not be inherited by sub-processes) and whether the apr_proc_*
interface allows manually intervening in the start of sub-processes.