Re: Apache 2.x leaked descriptors
From: Steve Grubb (linux_4ever@yahoo.com)
Date: 02/24/03
- Previous message: jon schatz: "Re: Apache 2.x leaked descriptors"
- Maybe in reply to: Steve Grubb: "Apache 2.x leaked descriptors"
- Next in thread: Michael Wojcik: "RE: Apache 2.x leaked descriptors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Feb 2003 13:25:59 -0000 From: Steve Grubb <linux_4ever@yahoo.com> To: vuln-dev@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <3E57FDE3.9040502@divisionbyzero.com>
>you can do more than that. unless the web server uses suexec, all the
>cgi's run as the webserver user, who most likely has:
>
>at least w to all log files for all vhosts (probably r+w)
>at least r on all webhosting directories
>at least r+x on all cgi-bin directories
>
>this is (and has been) a known issue for a while. it has periodically
>been discussed on the apache mailing lists, and i think it came up on
>bugtraq recently as well.
There are ways to stop virtual hosted sites from having access to their
neighbors or even having direct access to their own log files. This can be
done through chroot, a sandbox, or jail. The problem is that all of these
protection mechanisms breakdown if you inherit an open descriptor. The
jail or sandbox would have to fstat thousands of file descriptors to see
if they are open and close them before exec'ing the cgi. This is a
performance hit and therefore unlikely. Apache 1.3.27 doesn't have this
problem.
Cheers,
Steve Grubb
- Next message: David M. Wilson: "Re: Apache 2.x leaked descriptors"
- Previous message: jon schatz: "Re: Apache 2.x leaked descriptors"
- Maybe in reply to: Steve Grubb: "Apache 2.x leaked descriptors"
- Next in thread: Michael Wojcik: "RE: Apache 2.x leaked descriptors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
