Re: Apache 2.x leaked descriptors

[Brian Hatch <vuln-dev () ifokr org>]

> Apache 2.0 currently execs cgi scripts / server side includes etc... with
> file descriptors open to all access and error logs on the server and also
> to a couple of internal pipes.
>
> This means any cgi script can muck around with all access and error logs,
> read them, truncate them, overwrite them or append funny stuff.
>
> There is a bug in apache 2.0 that prevents closing of these internal resources
> before running the cgi's.
>
> Thats all.  And thats enough ...

I'd argue that the error log *should* be available to exec'd CGIs
etc.  That way the STDERR of a CGI is available to the programmer
for debugging purposes.  Beats the hell out of printing debugging
information to the webbrowser.  This has been the case for all the
Apache versions I'm familar with.

Now error log should be opened in append only mode, such that these
logs can only grow the error log, not overwrite or truncate.  I do
not know if this is the case.  If there is more than one error log
for that apache process, I'd argue that apache should close all
of them except the one associated with that program (probably
because of the VirtualHost it's associated with, for example.)


I don't see any reason for the access log to be writeable, however,
so I agree they should all be closed.


If the error log (the only one that is appropriate for the
exec'd program in question) is opened in append only mode, this
seems to be appropriate.  I think an apache directive to allow
all logs to be closed would be a good one, or perhaps a flag
to define close on exec when you define your log files.

--
Brian Hatch                  So many pedestrians,
   Systems and                so little time.
   Security Engineer
http://www.ifokr.org/bri/

Every message PGP signed

Attachment: _bin
Description: