Vulnerability Development mailing list archives
Re: Apache 2.x leaked descriptors
From: Steve Grubb <linux_4ever () yahoo com>
Date: 24 Feb 2003 13:25:59 -0000
In-Reply-To: <3E57FDE3.9040502 () divisionbyzero com>
you can do more than that. unless the web server uses suexec, all the cgi's run as the webserver user, who most likely has: at least w to all log files for all vhosts (probably r+w) at least r on all webhosting directories at least r+x on all cgi-bin directories this is (and has been) a known issue for a while. it has periodically been discussed on the apache mailing lists, and i think it came up on bugtraq recently as well.
There are ways to stop virtual hosted sites from having access to their neighbors or even having direct access to their own log files. This can be done through chroot, a sandbox, or jail. The problem is that all of these protection mechanisms breakdown if you inherit an open descriptor. The jail or sandbox would have to fstat thousands of file descriptors to see if they are open and close them before exec'ing the cgi. This is a performance hit and therefore unlikely. Apache 1.3.27 doesn't have this problem. Cheers, Steve Grubb
Current thread:
- Apache 2.x leaked descriptors Steve Grubb (Feb 21)
- Re: Apache 2.x leaked descriptors Christian Kratzer (Feb 23)
- Re: Apache 2.x leaked descriptors jon schatz (Feb 23)
- Re: Apache 2.x leaked descriptors David M. Wilson (Feb 24)
- Re: Apache 2.x leaked descriptors Christian Kratzer (Feb 25)
- Re: Apache 2.x leaked descriptors Brian Hatch (Feb 25)
- Re: Apache 2.x leaked descriptors Christian Kratzer (Feb 25)
- Re: Apache 2.x leaked descriptors Bjoern A. Zeeb (Feb 28)
- Re: Apache 2.x leaked descriptors David M. Wilson (Feb 24)
- <Possible follow-ups>
- Re: Apache 2.x leaked descriptors Steve Grubb (Feb 24)
- RE: Apache 2.x leaked descriptors Michael Wojcik (Feb 25)
- Re: Apache 2.x leaked descriptors Steve Grubb (Feb 25)