Return-Path: owner-new-httpd
Received: by taz.hyperreal.com (8.6.10/8.6.5) id HAA23500;
 Thu, 27 Apr 1995 07:33:11 -0700
Received: from life.ai.mit.edu by taz.hyperreal.com (8.6.10/8.6.5) with SMTP
 id HAA23494; Thu, 27 Apr 1995 07:33:05 -0700
Received: from volterra (volterra.ai.mit.edu) by life.ai.mit.edu (4.1/AI-4.10)
 for new-httpd@mail.apache.org id AA29504; Thu, 27 Apr 95 10:33:03 EDT
From: rst@ai.mit.edu (Robert S. Thau)
Received: by volterra (4.1/AI-4.10) id AA07843; Thu, 27 Apr 95 10:33:02 EDT
Date: Thu, 27 Apr 95 10:33:02 EDT
Message-Id: <9504271433.AA07843@volterra>
To: new-httpd@mail.apache.org
Subject: Closing file descriptors...
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

Paul Phillips has just noted that the file descriptors for the log files
are left open in NCSA 1.3, which might allow a malicious CGI script to
cover its tracks or wipe the log files entirely.  It might be best to
just close all descriptors except for stdin, stdout, and stderr before
the exec() in cgi_stub().  The again, stderr is generally set to the 
error log, and I generally consider that a feature, rather than a bug
(if a script screws up, you generally get useful info in the error_log).
Any thoughts?

rst