On Thu, 4 May 1995, Paul Phillips wrote: > It was pointed out that fchdir could conceivably be used to escape a > chrooted area. I also really don't like the idea that a CGI can log an > arbitrary amount of false information. Trashing the log files at least > informs the web admin that something is up, but information warfare can > be more dangerous than information vandalism. Sorry to quote myself, but this is quite more serious than I had originally painted it. I know of some commercial web space providers that charge by the byte for bandwidth used. If I have an account and CGI access on the same server that someone else does, what is to stop me from logging lots of entries for someone else on the server, greatly increasing their tab? Nothing. In fact, with a single CGI I could fork another process that sits around in the background and logs accesses to my enemies every minute or so. Not good. Anyone running any NCSA server that uses the logs for billing is on thin ice. On that note, here is a patch for httpd1.4 that fixes the problem. *** http_log.c.orig Thu May 4 16:00:27 1995 --- http_log.c Thu May 4 16:13:26 1995 *************** *** 57,62 **** --- 57,64 ---- extern char *save_name; void open_logs() { + int flags; + if(!(error_log = fopen(error_fname,"a"))) { fprintf(stderr,"httpd: could not open error log file %s.\n", error_fname); *************** *** 81,86 **** --- 83,106 ---- perror("fopen"); exit(1); } + + /* set close-on-exec flag so CGI's cannot get to logs */ + + flags = fcntl(fileno(error_log), F_GETFD); + flags |= FD_CLOEXEC; + fcntl(fileno(error_log), F_SETFD, flags); + + flags = fcntl(xfer_log, F_GETFD); + flags |= FD_CLOEXEC; + fcntl(xfer_log, F_SETFD, flags); + + flags = fcntl(fileno(agent_log), F_GETFD); + flags |= FD_CLOEXEC; + fcntl(fileno(agent_log), F_SETFD, flags); + + flags = fcntl(fileno(referer_log), F_GETFD); + flags |= FD_CLOEXEC; + fcntl(fileno(referer_log), F_SETFD, flags); } void close_logs() { ------------ End patch ----------------- -- Paul Phillips EMAIL: paulp@cerf.net WWW: http://www.primus.com/staff/paulp/ PHONE: (619) 220-0850