Date: Tue, 11 Feb 1997 23:18:29 -0700 (MST) From: Marc Slemko <marcs@znep.com> To: Igor Roshchin <igor@alecto.physics.uiuc.edu> Cc: freebsd-security@freebsd.org Subject: Re: httpd gets SIGSERV - is it a security problem ? Message-ID: <Pine.BSF.3.95.970211230145.29500Z-100000@alive.ampr.ab.ca> In-Reply-To: <199702120226.UAA20055@alecto.physics.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Possibly a security hole, but probably not. All the message means is that Apache tried to write memory where it shouldn't. It _is_ a bug in Apache. Where is it? If I knew that I would fix it. If someone can control the data that is placed in the memory which is overwritten, it is possible that it could be a security risk. Most likely, it is simply a bug. If this is repeatable (even if it is just at random intervals) and you are willing to spend a bit of time, mail me and I will walk you through debugging where it is happening so we can get a fix in place if it hasn't already been fixed. If you were running anything before 1.2b6 it would be more likely that it could be a security hole. I did a line by line review of the source tree which resulted in a large number of changes in 1.2b6 to improve security, including adding Apache's own snprintf function to use (portability issues; many platforms don't have snprintf). All or close to all of the obvious holes in the Apache source tree were fixed. I have no doubt that some remain, but I can now say with confidence that Apache is a lot better in this regards than many other servers. Note that a security hole would almost certainly only result in compromising the account of the user that you run Apache as, not root, assuming you follow several practices. I will assume that Apache runs as httpd and that you start Apache from root: - don't ever make the Apache binary owned by or writeable by httpd. - do not make any directory where Apache writes log files writable by anyone other than someone you trust to have root. Most of them should NOT be writable by httpd; the exceptions are ones that Apache opens on the fly while running as httpd. - if you send logs to a program (eg. 'TransferLog |/bin/foobar') be aware that the program runs as root. If anyone ever finds a reason to suspect a security hole in Apache, I encourage you to mail me either at this address or at marc@apache.org with the details. On Tue, 11 Feb 1997, Igor Roshchin wrote: > > Hello! > > Sorry if this should be going to a different maillist or > a newsgroup... > I see it for a while, that time to time httpd (a forked child) > gets some interrupt (often, or even always - 6) and dumps the core. > > E.g. today I found : > Feb 11 18:10:26 kurort /kernel: pid 15919 (httpd), uid 65534: exited on signal 6 > (from the syslog) > and from the httpd log: > > [Tue Feb 11 18:10:26 1997] httpd: caught SIGSEGV, dumping core > > Nothing else... > > Any idea what it can be ? > I was wondering if it can be some security hole ? > > i am running apache 1.2b6, > with 2.1.6.1 (even after 020597) > > Thanks. > > IgoR > aka StR >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970211230145.29500Z-100000>