FreeBSD paka.cyberleo.net 7.2-RELEASE-p3 FreeBSD 7.2-RELEASE-p3 #1: Fri Jul 31 07:52:14 EDT 2009 cyberleo@paka.cyberleo.net:/usr/obj/usr/srcs/RELENG_7_2/src/sys/PAKA amd64

Relevant packages:

apache-worker-2.2.16_1 Version 2.2.x of Apache web server with worker MPM.
php52-5.2.13_3      PHP Scripting Language
php52-bcmath-5.2.13_3 The bcmath shared extension for php
php52-bz2-5.2.13_3  The bz2 shared extension for php
php52-calendar-5.2.13_3 The calendar shared extension for php
php52-ctype-5.2.13_3 The ctype shared extension for php
php52-curl-5.2.13_3 The curl shared extension for php
php52-dom-5.2.13_3  The dom shared extension for php
php52-extensions-1.3 A "meta-port" to install PHP extensions
php52-filter-5.2.13_3 The filter shared extension for php
php52-ftp-5.2.13_3  The ftp shared extension for php
php52-gd-5.2.13_3   The gd shared extension for php
php52-gettext-5.2.13_3 The gettext shared extension for php
php52-gmp-5.2.13_3  The gmp shared extension for php
php52-hash-5.2.13_3 The hash shared extension for php
php52-iconv-5.2.13_3 The iconv shared extension for php
php52-json-5.2.13_3 The json shared extension for php
php52-mbstring-5.2.13_3 The mbstring shared extension for php
php52-mcrypt-5.2.13_3 The mcrypt shared extension for php
php52-mhash-5.2.13_3 The mhash shared extension for php
php52-mysql-5.2.13_3 The mysql shared extension for php
php52-mysqli-5.2.13_3 The mysqli shared extension for php
php52-openssl-5.2.13_3 The openssl shared extension for php
php52-pcntl-5.2.13_3 The pcntl shared extension for php
php52-pcre-5.2.13_3 The pcre shared extension for php
php52-pdo-5.2.13_3  The pdo shared extension for php
php52-pdo_sqlite-5.2.13_3 The pdo_sqlite shared extension for php
php52-posix-5.2.13_3 The posix shared extension for php
php52-readline-5.2.13_3 The readline shared extension for php
php52-recode-5.2.13_3 The recode shared extension for php
php52-session-5.2.13_3 The session shared extension for php
php52-shmop-5.2.13_3 The shmop shared extension for php
php52-simplexml-5.2.13_3 The simplexml shared extension for php
php52-sockets-5.2.13_3 The sockets shared extension for php
php52-spl-5.2.13_3  The spl shared extension for php
php52-sqlite-5.2.13_3 The sqlite shared extension for php
php52-sysvmsg-5.2.13_3 The sysvmsg shared extension for php
php52-sysvsem-5.2.13_3 The sysvsem shared extension for php
php52-sysvshm-5.2.13_3 The sysvshm shared extension for php
php52-tokenizer-5.2.13_3 The tokenizer shared extension for php
php52-xml-5.2.13_3  The xml shared extension for php
php52-xmlreader-5.2.13_3 The xmlreader shared extension for php
php52-xmlrpc-5.2.13_3 The xmlrpc shared extension for php
php52-xmlwriter-5.2.13_3 The xmlwriter shared extension for php
php52-xsl-5.2.13_3  The xsl shared extension for php
php52-zip-5.2.13_3  The zip shared extension for php
php52-zlib-5.2.13_3 The zlib shared extension for php
sudo-1.7.4.4        Allow others to run commands as root

Sudoers:

www       ALL=(root) NOPASSWD: /bin/ls

Script: sudo.php

<pre><?php
echo `/usr/local/bin/sudo /bin/ls 2>&1`;
?>

Sequence:

  1. Set up apache22
  2. Patch sudoers to allow www (apache user) to run sudo without a password
  3. Drop the reproduction script in the webdir
  4. Visit it using a web browser

Expected behaviour:

  • Browser should contain the output of ls in the directory containing the script:
sudo.php

Actual behaviour:

  • Browser spins waiting for the server to respond
  • PHP waits for backticks subprocess to complete
  • Something similar to this is seen in ps:
# ps axopid,ppid,user,state,command
5001  793 www  I /bin/sh -c /usr/local/bin/sudo /bin/ls 2>&1
5002 5001 root I /usr/local/bin/sudo /bin/ls
5003 5002 root Z <defunct>
  • The zombie process is 'ls' after it has finished, which is never reaped by sudo
  • If you kill -9 sudo, everything continues normally, and the browser contains the proper output (with 'Killed' added to the end since sudo was killed)
  • Downgrading to sudo-1.7.2.7 eliminates this aberrant behavour.