Re: Apache 2.x leaked descriptors

> Apache 2.0 currently execs cgi scripts / server side includes etc... with

I'd argue that the error log *should* be available to exec'd CGIs etc. That way the STDERR of a CGI is available to the programmer for debugging purposes. Beats the hell out of printing debugging information to the webbrowser. This has been the case for all the Apache versions I'm familar with.

Now error log should be opened in append only mode, such that these logs can only grow the error log, not overwrite or truncate. I do not know if this is the case. If there is more than one error log for that apache process, I'd argue that apache should close all of them except the one associated with that program (probably because of the VirtualHost it's associated with, for example.)

I don't see any reason for the access log to be writeable, however, so I agree they should all be closed.

If the error log (the only one that is appropriate for the exec'd program in question) is opened in append only mode, this seems to be appropriate. I think an apache directive to allow all logs to be closed would be a good one, or perhaps a flag to define close on exec when you define your log files.

--
Brian Hatch                  So many pedestrians,
   Systems and                so little time.
   Security Engineer
http://www.ifokr.org/bri/

Every message PGP signed

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek