Improving documentation / configuration as a result of report 38123

[Ruediger Pluem <rp...@apache.org>]

A short time ago there had been a discussion on the security list(s)
if bug report 38123 (Apache stops receiving new connections) is a new
and unknown vulnerability or not.

There was a short discussion on the pmc list about this topic and
the feedback I got there from people that are also on the security
list was that this is not a confidential security issue. So I would
like to discuss some aspects of this bug on the public dev list now.

Although it turned out that the actual request mentioned in the report
should be handled differently a slight modification of this request
still can block the handling apache process / thread to be blocked
until Timeout expires.

Although this is a general problem I think we can do some short term
improvements on the documentation / configuration front.

1. I think the comment

   "It is not set any lower by default because there may still be odd places
    in the code where the timer is not reset when a packet is sent."

   on http://httpd.apache.org/docs/2.0/en/mod/core.html#timeout

   is not valid for 2.0.x and up. AFAIK the Timeout was implemented in 1.3
   with the help of the alarm function which justifies this remark, but this
   is no longer true since 2.0 where poll is used.

2. There should be a section on the Security Tips page that mentions this
   issue and makes some remarks on it.

3. From my point of view, the default value of 300 seconds for Timeout seems to
   be far too high for most purposes. I would suggest to lower this at least
   to 10 seconds. Of course this can lead to trouble at least with long running
   cgi scripts.

Regards

Rüdiger

Re: Improving documentation / configuration as a result of report 38123

[Joshua Slive <jo...@slive.ca>]

On 1/17/06, Joshua Slive <jo...@slive.ca> wrote:

> > 2. There should be a section on the Security Tips page that mentions this
> >    issue and makes some remarks on it.

Since we really need a place to point everyone who rediscovers this
issue and thinks they've found something original, I started a draft,
which you can see here:
http://httpd.apache.org/docs/trunk/misc/security_tips.html#dos

It obviously could use some work.

Joshua.

Re: Improving documentation / configuration as a result of report 38123

[Ruediger Pluem <rp...@apache.org>]

On 01/17/2006 03:26 PM, Joshua Slive wrote:
> On 1/17/06, Ruediger Pluem <rp...@apache.org> wrote:


[..cut..]


>>1. I think the comment
>>
>>   "It is not set any lower by default because there may still be odd places
>>    in the code where the timer is not reset when a packet is sent."
>>
>>   on http://httpd.apache.org/docs/2.0/en/mod/core.html#timeout
>>
>>   is not valid for 2.0.x and up. AFAIK the Timeout was implemented in 1.3
>>   with the help of the alarm function which justifies this remark, but this
>>   is no longer true since 2.0 where poll is used.
> 
> 
> +1  I think we'd at least prefer that if any of these edge cases still
> exist in the code, they be treated as bugs and not expected behavior.
> 

I will remove it once there is an agreement on a new default value for Timeout.

> 
>>2. There should be a section on the Security Tips page that mentions this
>>   issue and makes some remarks on it.
> 
> 
> +1  Although you'll note that the security tips page is really just a
> big mess.  It needs someone with some real-world knowledge to point
> out what is important.

I just clashed with your commit :-). I will have a look at your draft and add
my things to it.

[..cut..]

> 
> That sounds like a little too drastic a change to me without testing
> to back it up.  Pehaps 60 would be a good intermediate step.  One

This is also fine with me. Lets see what others think.

> problem is that TimeOut applies to to many different things.  Why
> should the timeout waiting for CGI output and the timeout waiting for
> the network be the same?  It would be nice to have more fine-grained
> control.

Yes, that would be really nice, but some work needs to be done to reach this.

> 
> (And it would also be nice to unify all the different timeouts used by
> the server in some way; ie, "TimeOut cgi=60 request=5 ldap=10 dav=50",
> etc.  But perhaps that is asking for too much.)

I prefer separate directives for each of these areas.

Regards

Rüdiger

Re: Improving documentation / configuration as a result of report 38123

[Joshua Slive <jo...@slive.ca>]

On 1/17/06, Ruediger Pluem <rp...@apache.org> wrote:
>
> A short time ago there had been a discussion on the security list(s)
> if bug report 38123 (Apache stops receiving new connections) is a new
> and unknown vulnerability or not.

If you want to attract lazy people to the topic, you should provide a link ;-)
http://issues.apache.org/bugzilla/show_bug.cgi?id=38123

>
> 1. I think the comment
>
>    "It is not set any lower by default because there may still be odd places
>     in the code where the timer is not reset when a packet is sent."
>
>    on http://httpd.apache.org/docs/2.0/en/mod/core.html#timeout
>
>    is not valid for 2.0.x and up. AFAIK the Timeout was implemented in 1.3
>    with the help of the alarm function which justifies this remark, but this
>    is no longer true since 2.0 where poll is used.

+1  I think we'd at least prefer that if any of these edge cases still
exist in the code, they be treated as bugs and not expected behavior.

>
> 2. There should be a section on the Security Tips page that mentions this
>    issue and makes some remarks on it.

+1  Although you'll note that the security tips page is really just a
big mess.  It needs someone with some real-world knowledge to point
out what is important.

> 3. From my point of view, the default value of 300 seconds for Timeout seems to
>    be far too high for most purposes. I would suggest to lower this at least
>    to 10 seconds. Of course this can lead to trouble at least with long running
>    cgi scripts.

That sounds like a little too drastic a change to me without testing
to back it up.  Pehaps 60 would be a good intermediate step.  One
problem is that TimeOut applies to to many different things.  Why
should the timeout waiting for CGI output and the timeout waiting for
the network be the same?  It would be nice to have more fine-grained
control.

(And it would also be nice to unify all the different timeouts used by
the server in some way; ie, "TimeOut cgi=60 request=5 ldap=10 dav=50",
etc.  But perhaps that is asking for too much.)

Joshua.