httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: PID table changes (was Re: svn commit: r547987 - in /httpd/httpd/trunk)
Date Tue, 26 Jun 2007 21:03:41 GMT


On 06/26/2007 08:37 PM, Joe Orton wrote:
> My summary: I've still not seen any argument why it presents a security 
> risk for a "malicious child" to be able to kill a piped logger or other 
> non-MPM-spawned process, so:

What about signals other than SIGKILL and SIGTERM?

We also send SIGUSR1 in some cases.

Can this signal create any harm that could not be created otherwise by the
"malicious child" when sent to

1. A piped logger program (could be 3rd party).
2. A CGI script started with suexec.

Regarding the piped logger:

I would guess that a "malicious child" can disable logging for itself by closing
the fd of the piped logger. IMHO this is even harder to detect for the admin
than a killed logger.

Regarding other processes I think the "malicious child" can send any signal to them
anyway as long as they are running with the same user id as the child.

IMHO the advantage of the PID table is that it opens the possibility for further
sanity checks of the scoreboard, especially for cross checking how many childs
we really have. OTOH if I think about it more closely it is questionable if the
added overhead is really worth it, because a "malicious child" at least can create
a "fork bomb" without the help of the scoreboard.


Regards

RĂ¼diger


Mime
View raw message