native log files not closed at/before CGI exec
Description
Environment
RHEL 5 & 6
Apache prefork (default)
mod_cgi
suexec
Activity
Scott Cantor June 18, 2013 at 2:24 AM
Closing on release.
Scott Cantor May 29, 2013 at 8:19 PM
My mistake, the original patch didn't take. log4shib trunk is now behaving correctly and fixes this issue on Solaris and should work for Linux.
Also patched the socket code, though not getting a clear indication yet if it's making a difference. Did all I could though.
Scott Cantor May 29, 2013 at 6:40 PM
At least on Solaris 11, this is making no difference, so I believe there is no way in the context of whatever Apache is doing to prevent this.
I'm still going to poke at it some more.
Scott Cantor May 29, 2013 at 4:17 PM
Not 100% certain yet, but I think the sockets might also be getting through, so better safe than sorry. Technically that doesn't mean much, anything on the box can open a new socket to shibd anyway, but if SELinux or something like that were used, it would be bad to have the sockets inherited.
Starting with a log4shib patch in r405 that adds open/fcntl/socket fixes that close-on-exec.
Mac seems to be behaving ok with it, will test on Solaris next, then port in the same fix to the SP remoting code.
Scott Cantor May 28, 2013 at 10:08 PM
On Solaris, to use one example, the Apache error log is also open (I suspect intentionally) as stderr for the CGI script to use.
I'm not sure that this is worth investing a lot of effort into fixing, at least right this second. The file handles that are left open here are opened write only, so the CGI process can't read from them if that's the concern.
I'll look into fixing this in the future when I have a bit more time to spend.
But I do want to verify that there isn't a more serious issue with socket descriptors getting inherited.
mod_shib does not seem to be marking the native(_warn).log files for close before the CGI exec.
Example script to see this with (self.cgi):
#!/bin/sh
echo "Content-Type: text/plain";
echo
ls -l /proc/self/fd
which gives an output like so:
total 0
lr-x------. 1 u1 u1 64 May 28 14:02 0 -> pipe:[103303]
l-wx------. 1 u1 u1 64 May 28 14:02 1 -> pipe:[103304]
l-wx------. 1 u1 u1 64 May 28 14:02 2 -> pipe:[103305]
lr-x------. 1 u1 u1 64 May 28 14:02 3 -> /proc/18446/fd
l-wx------. 1 u1 u1 64 May 28 14:02 30 -> /var/log/httpd/native.log
l-wx------. 1 u1 u1 64 May 28 14:02 31 -> /var/log/httpd/native_warn.log
Notice that the running CGI script still has open file descriptors to the two native logs. I have confirmed that writing to those works fine, which is bad.
If you have a long running CGI process ('sleep 30' in the above script works fine) this is also visible in the output of:
lsof | grep native.log
along with the expected httpd processes that have the native logs open.