tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: suenv

In article 
 <> wrote:

>But apache is security critical, isn't it?  And it certainly is
>threaded.  Or are you applying the term "security critical" only to a
>smaller set of components?  

Yes, but apache is designed to be threaded. login, su, and other
pam users not necessarily. Typically programs "know" the closure
of shared libraries that they can potentially use, and PAM breaks
that model. The threaded/non-threaded case is a particularly nasty
example, where a program might assume that it can use static storage
and non-threaded interfaces (res_foo() instead of res_nfoo(),
getdbfoo() instead of getdbfoo_r()) and then suddenly it finds
itself in a threaded environment and potential heisen bugs. In the
apache case these may effect only the apache user and whatever
access it has, but login/su and other PAM users cases this leads
to a complete system compromise.


Home | Main Index | Thread Index | Old Index