php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #20302 Leaked Descriptors
Submitted: 2002-11-07 12:20 UTC Modified: 2003-12-27 13:07 UTC
Votes:12
Avg. Score:4.7 ± 0.6
Reproduced:5 of 5 (100.0%)
Same Version:2 (40.0%)
Same OS:0 (0.0%)
From: linux_4ever at yahoo dot com Assigned:
Status: No Feedback Package: Scripting Engine problem
PHP Version: 4.2.2 OS: Linux 2.4.18
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: linux_4ever at yahoo dot com
New email:
PHP Version: OS:

 

 [2002-11-07 12:20 UTC] linux_4ever at yahoo dot com
Upon investigating the php engine as shipped by RedHat 8.0 with the env_audit program, I have found that php is leaking descriptors (above and beyond what apache is leaking). One descriptor is the php webpage being executed, and 2 copies of the socket returned from accept appear to be leaked. The env_audit program is listed at freshmeat.net, it comes with instructions to audit php.

The fix is to add a fcntl(fd, FD_CLOEXEC) after accept and after opening the page.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-12-05 13:09 UTC] sesser@php.net
It would be nice if you could give an exact description of what descriptors are open for you. Like a directory listing
...
ls -la /proc/pidofapache/fd

BTW: The opened script fd can be leaked without any security impact.

And it is an apache bug that the fds are leaked. PHP does no
accept (its the apache child that accepts). And mysql etc... sockets are opened by the mysqlclient libs... these are responsible for setting the close on exec flag, not PHP.


 [2002-12-08 11:11 UTC] linux_4ever at yahoo dot com
>It would be nice if you could give an exact 
>description of what descriptors are open for you. 

The main problem is with apache 2.x. The listing is huge. There are 2 descriptors per website on the machine + main error log + main access log just being leaked by mod_cgi. When testing mod_php, I found 3 additional descriptors being leaked. I guess I incorrectly assumed that this was a php problem. If php does not police or cleanup the environment that php applications run under, then I guess this bug report can be closed. I will also make the apache team aware of this issue, too. My feelings are that apache 2.x really has some problems.

If you are curious about the leaked descriptors, visit : http://www.web-insights.net/env_audit  The env_audit program has full description and ready to use php script for testing this. There is also a 50 page report that can be downloaded from that page that gives more detail than I can list here.

>BTW: The opened script fd can be leaked without 
>any security impact.

Maybe and maybe not. If a hole is found in php, people could use this to overwrite a page making a temporary security problem more permanent. To do this requires first finding another exploit, then you might be able to use this for more mischief. Unless there's a compelling reason not to do so, I would close the fd or set the FD_CLOEXEC flag. My testing calls a program external to PHP using the passthru() function. This external program should not have access to PHP files.

So, I leave it to your team. I won't object to closing this bug report if you feel the issue truly lies with apache 2.x. Thanks for looking at it.
 [2003-01-20 21:54 UTC] sniper@php.net
Could you please check this with using PHP 4.3.0 and Apache 1.3.27 if it's any better? Also, PHP 4.3.0 builds a CLI binary always, it would be nice to know also if that has
the same leaks..(you don't have to _install_ php to do that? :)

 [2003-02-05 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over 2 weeks, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2004-01-23 14:57 UTC] real_triad at hotmail dot com
why not just fix the bug
cause my server already become a victim of this bug
 [2004-01-28 18:22 UTC] mef at photosight dot ru
Please read more information (IN ENGLISH) about this bug.

http://security.nnov.ru/search/document.asp?docid=5575
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 22 20:01:31 2024 UTC