httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [PATCH] call hook from sig_coredump
Date Mon, 03 Mar 2003 20:34:00 GMT
At 01:14 PM 3/3/2003, Bill Stoddard wrote:
>William A. Rowe, Jr. wrote:
>>At 12:30 PM 3/3/2003, Bill Stoddard wrote:
>>>I don't like the idea of enabling this hook at configure time. Why not add the
hook and leave it to modules whether they want to use it or not?  
>>
>>Because it is a potential security hole?  The only individual who should choose to
expose or prevent the hole would be the administrator who installs (and therefore probably
built) Apache.
>
>That same admin controls which modules are loaded as well.

And they psychically know that a module is using this hook, or not,
as the case may be?   I rather like the "permit this or not" level of
control by the Administrator, without relying on module authors.
The paranoid Admin is unlikely to trust either the application or loadable
modules anyways, so giving them as many overrides as possible to
reduce exploitable behavior is goodness.

>>>I don't see the value in crufting up configure more that it already is.
>>
>>Can we piggy-back such features into a single --unwise-but-useful configure option?
>
>Obviously not. If it is -really- unwise, then we should just not do it. I see no evidence
that is the case though. How, exactly, could this hook be remotely and uniquely exploited?

Code running post-segv after a stack overflow is subject to any number 
of 'side-effects', Mark could provide better pointers to exploit code than 
I can.  IIUC you propose this hook in the child that is segfaulting.  If I've misunderstood
and this is code in the parent after the child segfaults,
ignore my musings.

Bill




Mime
View raw message