Re: Apache 2.x leaked descriptors

From: Brian Hatch (vuln-dev@ifokr.org)
Date: 02/25/03

  • Next message: Christian Kratzer: "Re: Apache 2.x leaked descriptors" 
    Date: Tue, 25 Feb 2003 09:27:43 -0800
From: Brian Hatch <vuln-dev@ifokr.org>
To: Christian Kratzer <ck@cksoft.de>

    > Apache 2.0 currently execs cgi scripts / server side includes etc... with
    > file descriptors open to all access and error logs on the server and also
    > to a couple of internal pipes.
    >
    > This means any cgi script can muck around with all access and error logs,
    > read them, truncate them, overwrite them or append funny stuff.
    >
    > There is a bug in apache 2.0 that prevents closing of these internal resources
    > before running the cgi's.
    >
    > Thats all. And thats enough ...

    I'd argue that the error log *should* be available to exec'd CGIs
    etc. That way the STDERR of a CGI is available to the programmer
    for debugging purposes. Beats the hell out of printing debugging
    information to the webbrowser. This has been the case for all the
    Apache versions I'm familar with.

    Now error log should be opened in append only mode, such that these
    logs can only grow the error log, not overwrite or truncate. I do
    not know if this is the case. If there is more than one error log
    for that apache process, I'd argue that apache should close all
    of them except the one associated with that program (probably
    because of the VirtualHost it's associated with, for example.)

    I don't see any reason for the access log to be writeable, however,
    so I agree they should all be closed.

    If the error log (the only one that is appropriate for the
    exec'd program in question) is opened in append only mode, this
    seems to be appropriate. I think an apache directive to allow
    all logs to be closed would be a good one, or perhaps a flag
    to define close on exec when you define your log files. 

    --
Brian Hatch                  So many pedestrians,
   Systems and                so little time.
   Security Engineer
http://www.ifokr.org/bri/
Every message PGP signed

    Relevant Pages

    • Re: apache problem
      ... I'm unable to reproduce this on my 1.3.26 ... > Subject: Re: apache problem ... > This causes the cpu to reach 100% and the httpd process consumes all ... >> Few minutes before in error log: ...
      (Incidents)
    • Re: newsyslog and apache
      ... detected in the parent process ... the new error log shows, ... overwritten -- Unclean shutdown of previous Apache run? ... uname -a gives ...
      (freebsd-questions)
    • Apache configuration in Redhat
      ... I'm running Redhat 9.0 with Apache 1.3.29. ... Nothing shows in the error log. ... I don't believe the directory really needs an .htaccess file, ...
      (linux.redhat)
    • Re: apache22: "Cant access startfile"
      ... Take a look at the error log for apache, ... a jail, "aristotle.thought.org", so my guess is that things were ... meanwhile, if anybody else has some clues re wha' happened, Pulleze clue ...
      (freebsd-questions)
    • Re: Apache
      ... I think you have file permisson problem please check error log for more ... Subject: Apache ... To unsubscribe, ...
      (freebsd-questions)