On 06/26/2007 08:37 PM, Joe Orton wrote:
> My summary: I've still not seen any argument why it presents a security 
> risk for a "malicious child" to be able to kill a piped logger or other 
> non-MPM-spawned process, so:

What about signals other than SIGKILL and SIGTERM?

We also send SIGUSR1 in some cases.

Can this signal create any harm that could not be created otherwise by the
"malicious child" when sent to

1. A piped logger program (could be 3rd party).
2. A CGI script started with suexec.

Regarding the piped logger:

I would guess that a "malicious child" can disable logging for itself by closing
the fd of the piped logger. IMHO this is even harder to detect for the admin
than a killed logger.

Regarding other processes I think the "malicious child" can send any signal to 
them
anyway as long as they are running with the same user id as the child.

IMHO the advantage of the PID table is that it opens the possibility for further
sanity checks of the scoreboard, especially for cross checking how many childs
we really have. OTOH if I think about it more closely it is questionable if the
added overhead is really worth it, because a "malicious child" at least can 
create
a "fork bomb" without the help of the scoreboard.


Regards

RĂ¼diger

Reply via email to