tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: suenv



On Oct 23, 2012, at 2:56 PM, Christos Zoulas wrote:

> In article 
> <C75A84166056C94F84D238A44AF9F6AD277C2B%AUSX10MPC103.AMER.DELL.COM@localhost>,
> <Paul_Koning%Dell.com@localhost> wrote:
> 
>> But apache is security critical, isn't it?  And it certainly is
>> threaded.  Or are you applying the term "security critical" only to a
>> smaller set of components?  
> 
> Yes, but apache is designed to be threaded. login, su, and other
> pam users not necessarily. Typically programs "know" the closure
> of shared libraries that they can potentially use, and PAM breaks
> that model. The threaded/non-threaded case is a particularly nasty
> example, where a program might assume that it can use static storage
> and non-threaded interfaces (res_foo() instead of res_nfoo(),
> getdbfoo() instead of getdbfoo_r()) and then suddenly it finds
> itself in a threaded environment and potential heisen bugs. In the
> apache case these may effect only the apache user and whatever
> access it has, but login/su and other PAM users cases this leads
> to a complete system compromise.
> 
> christos
> 

That makes sense, thanks.

        paul



Home | Main Index | Thread Index | Old Index