Vulnerability Development mailing list archives
Re: Apache 2.x leaked descriptors
From: Steve Grubb <linux_4ever () yahoo com>
Date: 25 Feb 2003 18:41:04 -0000
In-Reply-To: <20030224132559.5665.qmail () www securityfocus com>
I think the real way to fix this for CGI is to have the parent process set the F_CLOEXEC flag on all the descriptors it opens, except those that the child is supposed to inherit. /snip/ Michael Wojcik
Yes, this is the correct fix and easy enough to do. I just don't know why they've blown it off for 4 months. This fix should be applied to all files, pipes, and sockets. So far, this thread has pretty much centered on whether or not access & error log inheritance is a problem. Has anyone looked to see what the scope of the problem is? (Maybe that would convince some people.) Has anyone played with various modules looking to see if anything beyond access or error logs are available? For example, if you look at mod_php, they leak the file descriptor from accept() and the descriptor to the php page being executed in addition to all the other descriptors. There's a lot of apache modules... -Steve Grubb
Current thread:
- Apache 2.x leaked descriptors Steve Grubb (Feb 21)
- Re: Apache 2.x leaked descriptors Christian Kratzer (Feb 23)
- Re: Apache 2.x leaked descriptors jon schatz (Feb 23)
- Re: Apache 2.x leaked descriptors David M. Wilson (Feb 24)
- Re: Apache 2.x leaked descriptors Christian Kratzer (Feb 25)
- Re: Apache 2.x leaked descriptors Brian Hatch (Feb 25)
- Re: Apache 2.x leaked descriptors Christian Kratzer (Feb 25)
- Re: Apache 2.x leaked descriptors Bjoern A. Zeeb (Feb 28)
- Re: Apache 2.x leaked descriptors David M. Wilson (Feb 24)
- <Possible follow-ups>
- Re: Apache 2.x leaked descriptors Steve Grubb (Feb 24)
- RE: Apache 2.x leaked descriptors Michael Wojcik (Feb 25)
- Re: Apache 2.x leaked descriptors Steve Grubb (Feb 25)