You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2019/04/16 07:54:28 UTC
svn commit: r1857626 - /httpd/httpd/trunk/docs/manual/mod/mpm_common.xml
Author: jorton
Date: Tue Apr 16 07:54:27 2019
New Revision: 1857626
URL: http://svn.apache.org/viewvc?rev=1857626&view=rev
Log:
Add security note on CoreDumpDirectory for Linux.
Reviewed by: icing, elukey
Modified:
httpd/httpd/trunk/docs/manual/mod/mpm_common.xml
Modified: httpd/httpd/trunk/docs/manual/mod/mpm_common.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mpm_common.xml?rev=1857626&r1=1857625&r2=1857626&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mpm_common.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mpm_common.xml Tue Apr 16 07:54:27 2019
@@ -50,6 +50,17 @@ switch before dumping core</description>
operating system is not configured to write core files to the working directory
of the crashing processes.</p>
+ <note type="warning">
+ <title>Security note for Linux systems</title>
+
+ <p>Using this directive on Linux may allow other processes on
+ the system (if running with similar privileges, such as CGI
+ scripts) to attach to httpd children via the <code>ptrace</code>
+ system call. This may make weaken the protection from certain
+ security attacks. It is not recommended to use this directive
+ on production systems.</p>
+ </note>
+
<note><title>Core Dumps on Linux</title>
<p>If Apache httpd starts as root and switches to another user, the
Linux kernel <em>disables</em> core dumps even if the directory is