mailing list archives
Re: Bug in apache httpd 1.1.3
From: dgaudet () ARCTIC ORG (Dean Gaudet)
Date: Sun, 16 Feb 1997 19:16:33 -0800
Only some architectures require the apache_status file (those which don't
implement mmap or shared mem "well enough" for some definition of well
enough that I'm too lazy to dig out of the archives). Linux is one of
them, solaris isn't.
In 1.2b6 that file has been moved to "logs/apache_runtime_status" which
places it in the ServerRoot. There are also some notices in the
documentation about the security implications of log file and parent
directory ownership. So the problem is effectively not there on systems
that are configured correctly.
A temporary fix under 1.1.3 and earlier would be to add the following to
For some appropriate directory. But note that the same problem exists
with all the log files as well, so your log directory should be
We're open to portable solutions... but as of yet, the 1.2 betas only
document the security implications of this problem and don't do anything
to restrict or warn about it at run time.
On Sun, 16 Feb 1997, Mihai Ibanescu wrote:
I noticed something interesting on my RedHat linux system (and on
some other linuxes).
httpd creates a file /tmp/apache_status, and follows blindly any
link if /tmp/apache_status points somewhere, for instance /etc/passwd. So
one can overwrite any file in the system. If she is able to create such a
link, and I don't think that's impossible.
The funny thing is that I have apache 1.1.3 installed on a SPARC
Solaris, and the problem doesn't exist there. So am I paranoid, or is
there a problem in the Apache server?
Department of Computer Science Mihai Ibanescu
"Al. I. Cuza" Univ. of Iasi e-mail: misa () infoiasi ro