httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: PID table changes (was Re: svn commit: r547987 - in /httpd/httpd/trunk)
Date Tue, 26 Jun 2007 16:55:22 GMT

On Jun 21, 2007, at 6:20 PM, William A. Rowe, Jr. wrote:

> Joe Orton wrote:
>> On Thu, Jun 21, 2007 at 06:18:59PM +0100, Colm MacCarthaigh wrote:
>>> On Thu, Jun 21, 2007 at 05:51:34PM +0100, Joe Orton wrote:
>>>> On Sat, Jun 16, 2007 at 09:29:25PM -0000, Jim Jagielski wrote:
>>>> Secondly: I think this approach is unnecessarily complex.  I  
>>>> think it's
>>>> sufficient to simply check whether the target process is in the  
>>>> right
>>>> process group before sending a signal, i.e. getpgid(pid) ==  
>>>> getpgrp().
>>>> This ensures that the parent will only kill things it created.
>>> I actually thought avoiding this was a design goal, to prevent  
>>> someone
>>> from killing piped loggers and cgi processes ?
>>
>> What's the security threat there?  Given that the attacker can  
>> arrange
>> for arbitrary execution of code in any unprivileged child, preventing
>> logging or CGI script execution is possible anyway.
>
> Two different cases.  It will be trivial to kill the CGI scripts  
> launched
> from the process (not from cgid) for other children in, say, a worker
> config.  The cgid and logging processes spawned by the parents aren't
> vulnerable as such (and the logging processes are spawned with the  
> httpd's
> launching uid anyways, not nobody, IIRC.)
>
> We only care about constraining the fallout of a malicious in process
> script to that specific process, and the loggers, if we go beyond  
> testing
> the pid group, won't have that issue from the child process.
>
> So I agree with testing the pid groups, I also believe it is  
> worthwhile
> to sanity test any critical data from the shared-scoreboard against  
> the
> parent processes' private reference table.
>

So what's the word... should we back out all the pid table stuff
(from both 1.3 and 2.x) and wait for Joe to provide his
pgrp changes (including any required configure magic to detect
function existance) or what?

It's kind of embarrassing that this is taking so long :)

Mime
View raw message