Vulnerability Development mailing list archives

Re: Apache 2.x leaked descriptors

From: Christian Kratzer <ck () cksoft de>
Date: Tue, 25 Feb 2003 18:34:24 +0100 (CET)

Hi,

On Tue, 25 Feb 2003, Brian Hatch wrote:

I'd argue that the error log *should* be available to exec'd CGIs
etc.  That way the STDERR of a CGI is available to the programmer
for debugging purposes.  Beats the hell out of printing debugging
information to the webbrowser.  This has been the case for all the
Apache versions I'm familar with.


file descriptors 0, 1 and 2 are not the problem. They are open and
required for the script to function properly.

Now error log should be opened in append only mode, such that these
logs can only grow the error log, not overwrite or truncate.  I do
not know if this is the case.  If there is more than one error log
for that apache process, I'd argue that apache should close all
of them except the one associated with that program (probably
because of the VirtualHost it's associated with, for example.)


Yes error messages from cgi scripts usually end up in the virtual
hosts error log.  That is current behaviour if I'm not mistaken.

[snipp]

If the error log (the only one that is appropriate for the
exec'd program in question) is opened in append only mode, this
seems to be appropriate.


the cgi has access to the error log via its stderr file descriptor 2.
It does not need access to the file descriptor of the log itself.

I think an apache directive to allow
all logs to be closed would be a good one, or perhaps a flag
to define close on exec when you define your log files.


the apache source code already has hooks for closing these resources.
The reason it is not happening is because there is a bug. A trivial
patch has been posted and is being discussed with the apache group.

I hope it will get committed into their cvs as soon as possible.

Greetings
Christian

-- 
CK Software GmbH
Christian Kratzer,           Schwarzwaldstr. 31, 71131 Jettingen
Email:  ck () cksoft de
Phone:  +49 7452 889-135     Open Software Solutions, Network Security
Fax:    +49 7452 889-136     FreeBSD spoken here!

Current thread:

Apache 2.x leaked descriptors Steve Grubb (Feb 21)
- Re: Apache 2.x leaked descriptors Christian Kratzer (Feb 23)
- Re: Apache 2.x leaked descriptors jon schatz (Feb 23)
  - Re: Apache 2.x leaked descriptors David M. Wilson (Feb 24)
    - Re: Apache 2.x leaked descriptors Christian Kratzer (Feb 25)
    - Re: Apache 2.x leaked descriptors Brian Hatch (Feb 25)
    - Re: Apache 2.x leaked descriptors Christian Kratzer (Feb 25)
    - Re: Apache 2.x leaked descriptors Bjoern A. Zeeb (Feb 28)
- <Possible follow-ups>
- Re: Apache 2.x leaked descriptors Steve Grubb (Feb 24)
- RE: Apache 2.x leaked descriptors Michael Wojcik (Feb 25)
- Re: Apache 2.x leaked descriptors Steve Grubb (Feb 25)