Re: Apache 2.x leaked descriptors
From: Steve Grubb (linux_4ever@yahoo.com)
Date: 02/25/03
- Previous message: Christian Kratzer: "Re: Apache 2.x leaked descriptors"
- Maybe in reply to: Steve Grubb: "Apache 2.x leaked descriptors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 25 Feb 2003 18:41:04 -0000 From: Steve Grubb <linux_4ever@yahoo.com> To: vuln-dev@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <20030224132559.5665.qmail@www.securityfocus.com>
>I think the real way to fix this for CGI is to have the parent process
>set the F_CLOEXEC flag on all the descriptors it opens, except those
>that the child is supposed to inherit.
> /snip/
>Michael Wojcik
Yes, this is the correct fix and easy enough to do. I just don't know why
they've blown it off for 4 months. This fix should be applied to all
files, pipes, and sockets.
So far, this thread has pretty much centered on whether or not access &
error log inheritance is a problem. Has anyone looked to see what the
scope of the problem is? (Maybe that would convince some people.) Has
anyone played with various modules looking to see if anything beyond
access or error logs are available? For example, if you look at mod_php,
they leak the file descriptor from accept() and the descriptor to the php
page being executed in addition to all the other descriptors.
There's a lot of apache modules...
-Steve Grubb
- Next message: Mike Mires: "freeconsole()"
- Previous message: Christian Kratzer: "Re: Apache 2.x leaked descriptors"
- Maybe in reply to: Steve Grubb: "Apache 2.x leaked descriptors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
