Re: Bug in apache httpd 1.1.3

[dgaudet () ARCTIC ORG (Dean Gaudet)]

Only some architectures require the apache_status file (those which don't
implement mmap or shared mem "well enough" for some definition of well
enough that I'm too lazy to dig out of the archives).  Linux is one of
them, solaris isn't.

In 1.2b6 that file has been moved to "logs/apache_runtime_status" which
places it in the ServerRoot.  There are also some notices in the
documentation about the security implications of log file and parent
directory ownership.  So the problem is effectively not there on systems
that are configured correctly.

A temporary fix under 1.1.3 and earlier would be to add the following to
your httpd.conf:

ScoreBoardFile /path/to/root-writeable-only-directory/apache_status

For some appropriate directory.  But note that the same problem exists
with all the log files as well, so your log directory should be
root-writeable only.

We're open to portable solutions... but as of yet, the 1.2 betas only
document the security implications of this problem and don't do anything
to restrict or warn about it at run time.

Dean

On Sun, 16 Feb 1997, Mihai Ibanescu wrote:

>         Hello!
>
>         I noticed something interesting on my RedHat linux system (and on
> some other linuxes).
>         httpd creates a file /tmp/apache_status, and follows blindly any
> link if /tmp/apache_status points somewhere, for instance /etc/passwd. So
> one can overwrite any file in the system. If she is able to create such a
> link, and I don't think that's impossible.
>         The funny thing is that I have apache 1.1.3 installed on a SPARC
> Solaris, and the problem doesn't exist there. So am I paranoid, or is
> there a problem in the Apache server?
>
>                                                 Misa
>
> Department of Computer Science          Mihai Ibanescu
> "Al. I. Cuza" Univ. of Iasi             e-mail: misa () infoiasi ro
> Romania                                 http://www.infoiasi.ro/~misa