tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: suenv
On Oct 23, 2012, at 2:56 PM, Christos Zoulas wrote:
> In article
> <C75A84166056C94F84D238A44AF9F6AD277C2B%AUSX10MPC103.AMER.DELL.COM@localhost>,
> <Paul_Koning%Dell.com@localhost> wrote:
>
>> But apache is security critical, isn't it? And it certainly is
>> threaded. Or are you applying the term "security critical" only to a
>> smaller set of components?
>
> Yes, but apache is designed to be threaded. login, su, and other
> pam users not necessarily. Typically programs "know" the closure
> of shared libraries that they can potentially use, and PAM breaks
> that model. The threaded/non-threaded case is a particularly nasty
> example, where a program might assume that it can use static storage
> and non-threaded interfaces (res_foo() instead of res_nfoo(),
> getdbfoo() instead of getdbfoo_r()) and then suddenly it finds
> itself in a threaded environment and potential heisen bugs. In the
> apache case these may effect only the apache user and whatever
> access it has, but login/su and other PAM users cases this leads
> to a complete system compromise.
>
> christos
>
That makes sense, thanks.
paul
Home |
Main Index |
Thread Index |
Old Index