Gianni Mariani wrote:
>
> Are you starting apache as root and changing the user ID ?
Yes, I start it as root as the child servers run as nobody.
>
> If so, you will not get a core file from httpd - or any other process for
> that
> matter. It is considered a security weakness to be able to have a user
> examine a core file from program that was once run as root.
>
> I have used a dumb technique that works - I have apache catch all the
> signals (segv etc) and then call kill(SIGSTOP) on itself. With a bit of
> gdb'ing it seems to work.
Gianni, can you please explain in a bit more detail what you mean here -
I don't follow. Are you modifying the code? Or running httpd under the
control of gdb? I've never used gdb, so if you could give me some brief
instructions as to what I'd need to do that would be great.
>
> The only reason for httpd to run as root as far as I can tell is so that it
>
> can bind to port 80 and 443 which are priviledged ports. Other solutions
> I thought about was to patch the kernel and specifically allow 80 and 443
> binding by non-priviledged users or to patch apache and use file descriptor
>
> passing (either by exec or ipc messages) and have a program that program
> run as root.
>
> Anyhow, it sux.
>
> Philip Payne wrote:
>
> > Hi,
> >
> > Does anyone have any suggestions on what else I can try to get a core
> > dump to track down a segmentation fault????
> >
> > I've tried the various suggestions in the mod_ssl FAQ including:
> > 1) Setting CoreDumpDirectory to /tmp
> > 2) Starting Apache as a non-root user (Apache failed to start because
> > of privilege problems).
> > 3) Running the child servers as root (Apache refused to start for
> > security reasons).
> > 4) Starting Apache in single-process mode using httpd -X .
> > but the segmentation fault fails to produce a core dump.
> >
> > I'm using Apache/1.3.11 (Unix) PyApache/4.19 mod_ssl/2.5.1 OpenSSL/0.9.5
> > on Redhat Linux 6.1.
> >
> > I'm running a single Apache server for both non-SSL and SSL access.
> >
> > It all works perfectly except that child servers die with (e.g.):
> > [notice] child pid 3732 exit signal Segmentation fault (11)
> > under the following conditions which are 100% reproducible:
> > 1) The child server has been used for at least one SSL access.
> > 2) The child server receives a non-SSL CGI POST request ==>
> > segmentation fault.
> > CGI GET requests don't have this problem.
> >
... ...
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
