Received: (from majordom@localhost) by hyperreal.org (8.8.5/8.8.5) id CAA28071; Thu, 14 Aug 1997 02:26:26 -0700 (PDT) Received: from twinlark.arctic.org (twinlark.arctic.org [204.62.130.91]) by hyperreal.org (8.8.5/8.8.5) with SMTP id CAA28067 for ; Thu, 14 Aug 1997 02:26:23 -0700 (PDT) Received: (qmail 11891 invoked by uid 500); 14 Aug 1997 09:17:33 -0000 Date: Thu, 14 Aug 1997 02:17:32 -0700 (PDT) From: Dean Gaudet To: new-httpd@apache.org Subject: RE: [PATCH] accept serialization In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org On Thu, 14 Aug 1997, Paul Sutton wrote: > Ok, I've tried this quickly and it *does NOT work* without the ownership > change. Each child fails on the accept_mutex_on (they exit after the > perror here with "accept_mutex_on: Permission denied"). So another one > gets spawned and dies, for ever. Not nice. Damn. Ok that means that USE_SYSVSEM_SERIALIZED_ACCEPT has a known DoS attack (make a cgi which forks a child which acquires the semaphore and sleeps forever). So far I've only proposed that it be the default for IRIX. Notes: - on multiprocessor IRIX boxes it's way faster to use _USLOCK_, but these are way slower on single processor boxes - fcntl/flock are extremely painfully slow on some irix boxes (probably boxes running NFS servers, or maybe just on multiprocessor boxes, we haven't isolated what yet) - Martijn Koster tells me he's been running with the equivalent of SAFE_UNSERIALIZED_ACCEPT on IRIX boxes with no ill-effect - systems concerned about local users who can run CGIs and cause the DoS are probably also concerned enough to use suexec/cgiwrap and be immune to the DoS So, I'm happy with documenting the DoS and the workarounds and options and alternatives. It's too bad IRIX is a little too inconsistent on these things. Dean