Ok, this is *very* obscure, but could, just possibly, be leveraged by an attacker.

When called by cgi scripts, getlogin() returns the login name associated with the shell which started apache.

Normally if apache is started at runtime or restarted via cron, this will just return "root". However, if an administrator logs in as themselves, uses su to become root, and then restarts apache, anyone who can create and run cgi scripts on the server can find out the login name of a user who knows the root password.

Of course, on default installation of most operating systems you could get that same information by grepping /var/log/messages, so this is hardly a big security hole. But it is still an information leak, and on an extremely secure system it could be used by an attacker to determine which account he should try to break into to use as a stepping stone to root.

What do people think... is this worth pointing out to the apache people?