Debian Bug report logs - #366124
apache2: should mark its listening socket close-on-exec

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-bugs@zugschlus.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apache2: should mark its listening socket close-on-exec

Date: Fri, 05 May 2006 13:58:51 +0200

Package: apache2
Severity: wishlist

Hi,

the exim4 maintainers have received an increasing number of support
cases where apache wouldn't start because there was an exim process
listening on port 80. People keep suggesting a compromised exim and
worse things.

Only explanation I can come up with is the following:

(1) apache or something running inside the apache process (maybe a php
    script using mail()) sends e-mail using /usr/lib/sendmail.
(2) exim, invoked as /usr/lib/sendmail, inherits the listening socket.
(3) exim cannot deliver the message right away and stays around
    (maybe teergrubed)
(4) while exim is still around, apache dies for some reason
(5) The newly started apache cannot bind to port 80 since it is still
    held by the exim process exec()ed in (2).

I am told by one of the exim developers that the most easy way to
avoid this behavior would be to have apache mark its listening socket
close-on-exec to avoid exim inheriting the socket.

I'd like to hear your comments.

Greetings
Marc


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.14-zgsrv
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Message #10 received at 366124@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Marc Haber <mh+debian-bugs@zugschlus.de>

Cc: 366124@bugs.debian.org

Subject: Re: Bug#366124: apache2: should mark its listening socket close-on-exec

Date: Sun, 07 May 2006 22:11:44 +0200

* Marc Haber:

> (1) apache or something running inside the apache process (maybe a php
>     script using mail()) sends e-mail using /usr/lib/sendmail.
> (2) exim, invoked as /usr/lib/sendmail, inherits the listening socket.

If Apache behaves like this, it's a security issue, especially if it
occurs together with SuexecUserGroup.  Non-privileged processes can
intercept HTTP requests and impersonate the web server process.

Message #15 received at 366124@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 366124@bugs.debian.org

Subject: apache2: should mark its listening socket close-on-exec

Date: Sun, 12 Nov 2006 21:46:19 +0100

> If Apache behaves like this, it's a security issue, especially if
> it occurs together with SuexecUserGroup.  Non-privileged processes
> can intercept HTTP requests and impersonate the web server process.

mod_cgi closes the socket (I checked 2.2) so it is only an issue with 
mod_php.

AFAIK mod_php has no facility to change the uid, so it is no security 
issue: As long as the uid stays the same, the spawned process can  
ptrace the apache process and do anything it wants anyway.

Maybe one could check fastcgi as well. But if the missing 
close-on-exec breaks restart in some cases, it should probably be 
fixed in apache itself.

Message #20 received at 366124@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 366124@bugs.debian.org

Subject: apache2: should mark its listening socket close-on-exec

Date: Sun, 22 Jul 2007 20:15:24 +0200

> AFAIK mod_php has no facility to change the uid, so it is no
> security issue: As long as the uid stays the same, the spawned
> process can ptrace the apache process and do anything it wants
> anyway.

FWIW, this is not true if the apache parent process runs as root. In 
this case the child processes are treated specially because they used 
to be priviledged and therefore cannot be ptraced by normal 
(non-root) processes.

Message #25 received at 366124@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 366124@bugs.debian.org

Subject: apache2: should mark its listening socket close-on-exec

Date: Sun, 22 Jul 2007 23:40:08 +0200

This is also discussed at

http://bugs.php.net/bug.php?id=38915

There is the argument that mod_php should use apr_proc_create instead 
of using exec directly. So maybe we should reassing this to mod_php

Message #34 received at 366124-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 366124-close@bugs.debian.org

Subject: Bug#366124: fixed in apr 1.3.5-2

Date: Tue, 23 Jun 2009 21:34:24 +0000

Source: apr
Source-Version: 1.3.5-2

We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive:

apr_1.3.5-2.diff.gz
  to pool/main/a/apr/apr_1.3.5-2.diff.gz
apr_1.3.5-2.dsc
  to pool/main/a/apr/apr_1.3.5-2.dsc
libapr1-dbg_1.3.5-2_i386.deb
  to pool/main/a/apr/libapr1-dbg_1.3.5-2_i386.deb
libapr1-dev_1.3.5-2_i386.deb
  to pool/main/a/apr/libapr1-dev_1.3.5-2_i386.deb
libapr1_1.3.5-2_i386.deb
  to pool/main/a/apr/libapr1_1.3.5-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 366124@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 23 Jun 2009 22:15:02 +0200
Source: apr
Binary: libapr1 libapr1-dev libapr1-dbg
Architecture: source i386
Version: 1.3.5-2
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 libapr1    - The Apache Portable Runtime Library
 libapr1-dbg - The Apache Portable Runtime Library - Debugging Symbols
 libapr1-dev - The Apache Portable Runtime Library - Development Headers
Closes: 366124
Changes: 
 apr (1.3.5-2) unstable; urgency=low
 .
   * Mark non-inheritable file descriptors with FD_CLOEXEC, to prevent leaking
     them to processes exec'ed by applications that fail to use the apr API
     correctly (i.e. mod_php). Closes: #366124
   * Bump standards-version (no changes).
   * Override soname lintian warning (too late to change that).
Checksums-Sha1: 
 09b2ec29486dd239180e18462bbfc28ddc579469 1355 apr_1.3.5-2.dsc
 e39c893af4b9e853b7c77f0fc2402a44724a2156 18313 apr_1.3.5-2.diff.gz
 90dd22f37cd2ea9352cc7005792bb119f8d886a5 117000 libapr1_1.3.5-2_i386.deb
 613205edbfced86cafe3443b765a84f839fdf963 872180 libapr1-dev_1.3.5-2_i386.deb
 1468311f51b57e4c12a89bd5338c0648f33af9d8 56928 libapr1-dbg_1.3.5-2_i386.deb
Checksums-Sha256: 
 63af59e4fdcc7912f8f77cd324a7803a753cf6d4e6fe9585556ee6fb44016655 1355 apr_1.3.5-2.dsc
 eeb47c33916894363e0d7a2b74cfecf34cfd41ab1bd7449f6a35ded3a11d1a65 18313 apr_1.3.5-2.diff.gz
 b27f6c58ede9a6c907833f63a3a409e5fb6fc994681e5652f6598f7b40131eae 117000 libapr1_1.3.5-2_i386.deb
 e41186118fb5c051befd55bf74f0ef34ecdda009e06263a6133a4c2857ce0e4a 872180 libapr1-dev_1.3.5-2_i386.deb
 ca29dc4e197909d10d4e9b8eb0d1f6b6cbff8b08f2cde846a80513f88537cf46 56928 libapr1-dbg_1.3.5-2_i386.deb
Files: 
 4bd83fdb0d4f6e797a2453e8d0a261b8 1355 libs optional apr_1.3.5-2.dsc
 bd910b28eb1fc1d6bdbc255d8c0d4824 18313 libs optional apr_1.3.5-2.diff.gz
 7a1e79710a333405f176c30a33da0807 117000 libs optional libapr1_1.3.5-2_i386.deb
 0e63554864043feaf010eeda84cea88d 872180 libdevel optional libapr1-dev_1.3.5-2_i386.deb
 3a102c4c86e5e7b0b4ff811582fee0c5 56928 debug extra libapr1-dbg_1.3.5-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKQTwjbxelr8HyTqQRAqXWAJ9QauddFRqC/c79qihbALz/THE03ACdED7+
XDzNxvmlijF23B2o1Reh3vw=
=k9Zj
-----END PGP SIGNATURE-----

Message #47 received at 366124-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 366124-close@bugs.debian.org

Subject: Bug#366124: fixed in apr 1.2.12-5+lenny2

Date: Thu, 03 Jun 2010 13:52:41 +0000

Source: apr
Source-Version: 1.2.12-5+lenny2

We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive:

apr_1.2.12-5+lenny2.diff.gz
  to main/a/apr/apr_1.2.12-5+lenny2.diff.gz
apr_1.2.12-5+lenny2.dsc
  to main/a/apr/apr_1.2.12-5+lenny2.dsc
libapr1-dbg_1.2.12-5+lenny2_i386.deb
  to main/a/apr/libapr1-dbg_1.2.12-5+lenny2_i386.deb
libapr1-dev_1.2.12-5+lenny2_i386.deb
  to main/a/apr/libapr1-dev_1.2.12-5+lenny2_i386.deb
libapr1_1.2.12-5+lenny2_i386.deb
  to main/a/apr/libapr1_1.2.12-5+lenny2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 366124@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 01 Jun 2010 23:11:19 +0200
Source: apr
Binary: libapr1 libapr1-dev libapr1-dbg
Architecture: source i386
Version: 1.2.12-5+lenny2
Distribution: stable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 libapr1    - The Apache Portable Runtime Library
 libapr1-dbg - The Apache Portable Runtime Library - Development Headers
 libapr1-dev - The Apache Portable Runtime Library - Development Headers
Closes: 366124
Changes: 
 apr (1.2.12-5+lenny2) stable; urgency=low
 .
   * Set FD_CLOEXEC flag on file descriptors. Not doing so caused Apache httpd
     modules which do not use the apr API for executing other processes to leak
     file descriptors to the called processes. In some setups, this could cause
     security issues and/or problems with Apache failing to restart. This issue
     affected mod_php (but not mod_cgi). Closes: #366124
Checksums-Sha1: 
 bf69101ff3452fb87eca3f67b697da093f747560 1285 apr_1.2.12-5+lenny2.dsc
 8bcd3636336ed440f91f7d1ceec38e43874fbe3c 14252 apr_1.2.12-5+lenny2.diff.gz
 cb3347a80ef124deb8b2434ea0eb3019569cc480 109460 libapr1_1.2.12-5+lenny2_i386.deb
 d809178334f4d5471305437804b4fcb4afcb5f8f 807118 libapr1-dev_1.2.12-5+lenny2_i386.deb
 7e0b4301014313aa48d4dd4f5e65d30a13f9c60c 54046 libapr1-dbg_1.2.12-5+lenny2_i386.deb
Checksums-Sha256: 
 b4a51ca919c635af223a398d12729fe2b9b436ee021b7f3c16b9e79b7b8a884f 1285 apr_1.2.12-5+lenny2.dsc
 da1790fc9c3123463f000db8cf20d6672cdc7e8f099efade7a13548b9906dccc 14252 apr_1.2.12-5+lenny2.diff.gz
 28055dd551841034ac41619412882e553bc4ca00860bbfa05f5fcaffbd82d855 109460 libapr1_1.2.12-5+lenny2_i386.deb
 c52b076df534be5adfa791967afb7340d6dcfd07e5f86f5e86f2846fd1cd3310 807118 libapr1-dev_1.2.12-5+lenny2_i386.deb
 c3fa09fb0d68b3c3281e318c85390fb4b088638ace7184375c9988d1f8770ec6 54046 libapr1-dbg_1.2.12-5+lenny2_i386.deb
Files: 
 13854f1307562fb5b8c65a784221451c 1285 libs optional apr_1.2.12-5+lenny2.dsc
 f1c3b4c9d43807d2f2b661b28aaa8721 14252 libs optional apr_1.2.12-5+lenny2.diff.gz
 a64c060b7f8c053988d5fbbafa70d8db 109460 libs optional libapr1_1.2.12-5+lenny2_i386.deb
 d55efe62a08fef79c11e76f48e7b4f63 807118 libdevel optional libapr1-dev_1.2.12-5+lenny2_i386.deb
 0bfd514f8fce858a74811372bf052f20 54046 libdevel extra libapr1-dbg_1.2.12-5+lenny2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFMBX6Tbxelr8HyTqQRAiL8AJ9uXN4dJos9NjaCkxgSrpYIv1vbwACfZQA1
cO84D3z7Dtc72nbE6aa39c4=
=dqNO
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.