www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Astoorian <dj...@cs.toronto.edu>
Subject suexec/218: suexec fails to close log file before execv()
Date Tue, 04 Mar 1997 17:20:01 GMT

>Number:         218
>Category:       suexec
>Synopsis:       suexec fails to close log file before execv()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Mar  4 09:20:01 1997
>Originator:     djast@cs.toronto.edu
>Organization:
apache
>Release:        1.2b7
>Environment:
any/all
>Description:
suexec opens the log file LOG_EXEC, but never closes it.  As a result, the file
descriptor is inherited by the child process (the CGI program).  This allows any
user on the system permitted to use suexec to arbitrarily modify the contents of
the log file.
>How-To-Repeat:
Compile and set up as a suexec target, then invoke via suexec:

#include <fcntl.h>
#define LOGFD 3
main() {
	fcntl(LOGFD,F_SETFL,0);		/* turn off append flag */
	lseek(LOGFD,0,0);		/* start of log */
	write(LOGFD,"Gotcha\n",7);
}
>Fix:
Two ways:
	1) close the log file before the execv().  (If the execv() fails, the
following log_err() will re-open the log file.)
or:
	2) set the close-on-exec flag on the file descriptor when the file is
opened.

(1) is easier and more portable, (2) is insignificantly more efficient...
>Audit-Trail:
>Unformatted:



Mime
View raw message