On 06/26/2007 08:37 PM, Joe Orton wrote: > My summary: I've still not seen any argument why it presents a security > risk for a "malicious child" to be able to kill a piped logger or other > non-MPM-spawned process, so:
What about signals other than SIGKILL and SIGTERM? We also send SIGUSR1 in some cases. Can this signal create any harm that could not be created otherwise by the "malicious child" when sent to 1. A piped logger program (could be 3rd party). 2. A CGI script started with suexec. Regarding the piped logger: I would guess that a "malicious child" can disable logging for itself by closing the fd of the piped logger. IMHO this is even harder to detect for the admin than a killed logger. Regarding other processes I think the "malicious child" can send any signal to them anyway as long as they are running with the same user id as the child. IMHO the advantage of the PID table is that it opens the possibility for further sanity checks of the scoreboard, especially for cross checking how many childs we really have. OTOH if I think about it more closely it is questionable if the added overhead is really worth it, because a "malicious child" at least can create a "fork bomb" without the help of the scoreboard. Regards RĂ¼diger
