ID: 15529
Updated by: [EMAIL PROTECTED]
Reported By: ddhill at zk3 dot dec dot com
-Status: Open
+Status: Verified
Bug Type: Apache related
Operating System: generic unix
-PHP Version: 4.1.1
+PHP Version: 4.3.3RC2-dev, PHP 5.0.0b2-dev
New Comment:
Verified with latest CVS of both PHP4 and PHP5 branches.
Previous Comments:
------------------------------------------------------------------------
[2003-03-05 16:37:39] gpiszczek at serwery dot pl
I think that problem is rather serious because as child process
inherits all open file descriptors it is possibile to truncate all
currently opened log files. As mentioned above child also inherits
shared memory segments. If Apache is compiled to use shared memory for
it's scoreboard corrupting it can lead to denial of service attack.
------------------------------------------------------------------------
[2002-09-26 10:43:49] [EMAIL PROTECTED]
And #16548
------------------------------------------------------------------------
[2002-09-26 10:28:44] [EMAIL PROTECTED]
Apparently related to #15642
------------------------------------------------------------------------
[2002-02-12 15:58:24] ddhill at zk3 dot dec dot com
When PHP is used as an Apache module, it does not follow the module
convention when child processes are created of cleaning up the
environment.
PHP uses the popen() system call to do the fork/exec of a sub process.
Processes created using this procedure inherit a bunch of stuff from
the parent process including such things a open file descriptors and
shared memory segments. This can cause a problem if the child process
is intended to last longer than the duration of the PHP page that
invokes it. An example of a problem that can occur would be that as
long as the child process is running, it will hold open the socket port
that the Apache server was listening on, even after the Apache server
has been stopped. In this example, the apache will not be able to
restart untill the child process has been terminated.
I understand that 99.9999% of calls to system() in PHP are intended to
return within the lifespan of the PHP page view. But it is reasonable
(and not prohibited by the current documention) to use a php page to
kick off a background task.
>From examinations of other apache modules (mod_cgi, fastcgi...), it
would apear that the module should call ap_cleanup_for_exec() in the
child process after it is forked, but prior to the exec() call. This
requirement makes it impossible to use the default system popen() call.
I think that a generic rewritten popen could be used that would do
the same task as popen but could call the clenup routine, but am not
sure how this would be integrated into the overall php build env.
To reproduce this problem... create a small sleep loop script and then
invoke it via php, stop the web server and then try to restart it. The
server will fail to startup with the log message:
[Tue Feb 12 15:44:27 2002] [crit] (48)Address already in use:
make_sock: could not bind to port 80
Killing off the sleeping_loop program will allow the server to be
restarted.
# cat hi.php
<html>
<body>
Hi there !
<?php exec("/bin/ksh nohup /tmp/sleeping_loop > /dev/null 2>&1 &"); ?>
Execing our program !
</body>
</html>
# cat sleeping_loop.c
#include <unistd.h>
main() {
setpgrp(getpid(),0);
while(1) {
sleep(60);
}
}
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=15529&edit=1
