Hi all,
I've got a local denial-of-service with fcgid if used in a shared
hosting environment.
Situation
---------
Shared hosting on Ubuntu Dapper Drake (PHP 4.4.x, Apache 2.0.x, fcgid
normally 1.0.7 but upgraded to 1.10 on my machine - that's still
ancient, but unless I'm mistaken, the I see the same problem in the
current CVS code).
PHP wrapper must be owned by respective user due to suexec policy. In
other words, it's impossible to use a user-unwritable system-wide fcgi
wrapper.
Problem
-------
If a user accidentally deletes the wrapper script, restarting Apache
will fail with this (slightly edited to protect the guilty):
-- snip --
* Forcing reload of apache 2.0 web server...
Syntax error on line 682 of /etc/apache2/sites-enabled/site.conf:
can't get fastcgi file info: /var/www/path-to-wrapper/php4, errno: 2
[fail]
-- snip --
Analysis
--------
The message originates from the code at line 750 in fcgid_conf.c, which
seems to be for checking that the wrapper exists.
Conclusions
-----------
I think this should be made a warning instead of an error, because:
1) It creates the local denial-of-service vulnerability I described above.
2) It does not guarantee that the wrapper will be available when it's
actually accessed anyway. The wrapper could have been renamed, removed,
chmodded or otherwise made inaccessible (or it might even have been
created).
3) It's not really a syntax error anyway...
What now (for me)
-----------------
So prevent the denial-of-service problem for me, I have commented out
the check in my copy of the sources for the moment. I'll report back if
this gets me into trouble :-)
Comments? Thoughts?
Regards,
Jo
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Mod-fcgid-users mailing list
Mod-fcgid-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
