Re: Apache 2.x leaked descriptors

Hi,

On Tue, 25 Feb 2003, Brian Hatch wrote:
> I'd argue that the error log *should* be available to exec'd CGIs

file descriptors 0, 1 and 2 are not the problem. They are open and required for the script to function properly.

> Now error log should be opened in append only mode, such that these

Yes error messages from cgi scripts usually end up in the virtual hosts error log. That is current behaviour if I'm not mistaken.

[snipp]
> If the error log (the only one that is appropriate for the

the cgi has access to the error log via its stderr file descriptor 2. It does not need access to the file descriptor of the log itself.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> I think an apache directive to allow

the apache source code already has hooks for closing these resources. The reason it is not happening is because there is a bug. A trivial patch has been posted and is being discussed with the apache group.

I hope it will get committed into their cvs as soon as possible.

Greetings
Christian

-- 
CK Software GmbH
Christian Kratzer,           Schwarzwaldstr. 31, 71131 Jettingen
Email:	ck@cksoft.de
Phone: 	+49 7452 889-135     Open Software Solutions, Network Security
Fax: 	+49 7452 889-136     FreeBSD spoken here!