You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Dan Astoorian <dj...@cs.toronto.edu> on 1997/03/04 18:20:01 UTC

suexec/218: suexec fails to close log file before execv()

>Number:         218
>Category:       suexec
>Synopsis:       suexec fails to close log file before execv()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Mar  4 09:20:01 1997
>Originator:     djast@cs.toronto.edu
>Organization:
apache
>Release:        1.2b7
>Environment:
any/all
>Description:
suexec opens the log file LOG_EXEC, but never closes it.  As a result, the file
descriptor is inherited by the child process (the CGI program).  This allows any
user on the system permitted to use suexec to arbitrarily modify the contents of
the log file.
>How-To-Repeat:
Compile and set up as a suexec target, then invoke via suexec:

#include <fcntl.h>
#define LOGFD 3
main() {
	fcntl(LOGFD,F_SETFL,0);		/* turn off append flag */
	lseek(LOGFD,0,0);		/* start of log */
	write(LOGFD,"Gotcha\n",7);
}
>Fix:
Two ways:
	1) close the log file before the execv().  (If the execv() fails, the
following log_err() will re-open the log file.)
or:
	2) set the close-on-exec flag on the file descriptor when the file is
opened.

(1) is easier and more portable, (2) is insignificantly more efficient...
>Audit-Trail:
>Unformatted: