httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: suexec concerns
Date Sat, 04 Jan 1997 13:30:11 GMT
Marc Slemko wrote:
> 
> On Fri, 3 Jan 1997, Randy Terbush wrote:
> 
> > 
> > > Hang on.  The parent httpd, normally running as root, knows for sure who
> > > its children are.  All we need is a way for suexec to ask the parent if
> > > process x is a child of the parent or not.  Part of that could be already
> > > implemented in the scoreboard stuff.  Comments? 
> > 
> > I tried to find a way to trace the "lineage" of a process for this
> > very reason. While I *think* it would be possible to do this by
> > mucking through kvm, I can't imagine how to make someting like this
> > portable. If you could come up with something, this would be golden.
> 
> suexec knows who its parent is with getppid().  The parent will be in the
> scoreboard.  iff the ppid is in the scoreboard, then it was called from a
> running copy of apache.  There is more to it than that, but I think that
> idea could work.  The trick comes on systems that mmap it.  Perhaps I will
> look at what apache is actually doing there to see how practical it is.
> 
> I can think of a half dozen ways to do what we want, but they sure aren't
> portable.  <sigh>

RST and I thrashed this one out long ago, when suexec first came up. I forget
the details of the solution, but RST did implement it in threaded Apache. I
even have his permission to lift it out and add it to 1.2, I just never got
round to it.

As I remember it, a perfect solution was not possible, but a successful attack
required the attacker to a) kill off a legitimate child and b) get a new
process with the same process ID before Apache noticed that the original had
died (which would only be possible after Apache had retrieved status, I
believe, so would require a very narrow time slot).

Cheers,

Ben.

-- 
Ben Laurie                Phone: +44 (181) 994 6435  Email: ben@algroup.co.uk
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd,         Apache Group member (http://www.apache.org)
London, England.          Apache-SSL author

Mime
View raw message