Re: Apache 2.x leaked descriptors

From: Steve Grubb <linux_4ever(at)yahoo.com>
Date: Mon Feb 24 2003 - 08:25:59 EST

('binary' encoding is not supported, stored as-is)
In-Reply-To: <3E57FDE3.9040502@divisionbyzero.com>

>you can do more than that. unless the web server uses suexec, all the

There are ways to stop virtual hosted sites from having access to their neighbors or even having direct access to their own log files. This can be done through chroot, a sandbox, or jail. The problem is that all of these protection mechanisms breakdown if you inherit an open descriptor. The jail or sandbox would have to fstat thousands of file descriptors to see if they are open and close them before exec'ing the cgi. This is a performance hit and therefore unlikely. Apache 1.3.27 doesn't have this problem.

Cheers,
Steve Grubb Received on Mon Feb 24 16:20:52 2003