Source: apache2 Version: 2.4.25-3+deb9u6 Severity: normal Tags: upstream Forwarded: https://bz.apache.org/bugzilla/show_bug.cgi?id=61817 Control: found -1 2.4.25-3
Hi When using a setup using for mod_authnz_ldap the AuthLDAPBindPassword directive specifically with the exec: variant as documented in [1], a respective child process is not destroyed correctly. To reproduce the issue within a .htaccess file (we managed to reproduce in .htaccess context but not in a directory context) > AuthType Basic > AuthName "Restricted access" > AuthBasicProvider ldap > > AuthLDAPURL $url > AuthLDAPBindDN $binddn > AuthLDAPBindPassword "exec:/bin/cat /path/to/ldap/passwd" > > Require valid-user is enough, resulting in defunct processes [...] S www-data 145731 82080 0 80 0 13016 223273 - 13:50 ? 00:00:00 \_ /usr/sbin/apache2 -k start Z www-data 151575 145731 0 80 0 0 0 - 14:21 ? 00:00:00 | \_ [cat] <defunct> S www-data 145732 82080 0 80 0 13980 223674 - 13:50 ? 00:00:00 \_ /usr/sbin/apache2 -k start Z www-data 151686 145732 0 80 0 0 0 - 14:22 ? 00:00:00 \_ [cat] <defunct> [...] The issue has been submitted upstream already in [2] with a tentative patch, but it looks the issue got not yet adressed upstream. Regards, Salvatore [1] http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#AuthLDAPBindPassword [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61817