FindPage
View Source:
CyberLeo/Bugs/ApacheSudo
FreeBSD paka.cyberleo.net 7.2-RELEASE-p3 FreeBSD 7.2-RELEASE-p3 #1: Fri Jul 31 07:52:14 EDT 2009 cyberleo@paka.cyberleo.net:/usr/obj/usr/srcs/RELENG_7_2/src/sys/PAKA amd64 Relevant packages: <code brush="plain"> apache-worker-2.2.16_1 Version 2.2.x of Apache web server with worker MPM. php52-5.2.13_3 PHP Scripting Language php52-bcmath-5.2.13_3 The bcmath shared extension for php php52-bz2-5.2.13_3 The bz2 shared extension for php php52-calendar-5.2.13_3 The calendar shared extension for php php52-ctype-5.2.13_3 The ctype shared extension for php php52-curl-5.2.13_3 The curl shared extension for php php52-dom-5.2.13_3 The dom shared extension for php php52-extensions-1.3 A "meta-port" to install PHP extensions php52-filter-5.2.13_3 The filter shared extension for php php52-ftp-5.2.13_3 The ftp shared extension for php php52-gd-5.2.13_3 The gd shared extension for php php52-gettext-5.2.13_3 The gettext shared extension for php php52-gmp-5.2.13_3 The gmp shared extension for php php52-hash-5.2.13_3 The hash shared extension for php php52-iconv-5.2.13_3 The iconv shared extension for php php52-json-5.2.13_3 The json shared extension for php php52-mbstring-5.2.13_3 The mbstring shared extension for php php52-mcrypt-5.2.13_3 The mcrypt shared extension for php php52-mhash-5.2.13_3 The mhash shared extension for php php52-mysql-5.2.13_3 The mysql shared extension for php php52-mysqli-5.2.13_3 The mysqli shared extension for php php52-openssl-5.2.13_3 The openssl shared extension for php php52-pcntl-5.2.13_3 The pcntl shared extension for php php52-pcre-5.2.13_3 The pcre shared extension for php php52-pdo-5.2.13_3 The pdo shared extension for php php52-pdo_sqlite-5.2.13_3 The pdo_sqlite shared extension for php php52-posix-5.2.13_3 The posix shared extension for php php52-readline-5.2.13_3 The readline shared extension for php php52-recode-5.2.13_3 The recode shared extension for php php52-session-5.2.13_3 The session shared extension for php php52-shmop-5.2.13_3 The shmop shared extension for php php52-simplexml-5.2.13_3 The simplexml shared extension for php php52-sockets-5.2.13_3 The sockets shared extension for php php52-spl-5.2.13_3 The spl shared extension for php php52-sqlite-5.2.13_3 The sqlite shared extension for php php52-sysvmsg-5.2.13_3 The sysvmsg shared extension for php php52-sysvsem-5.2.13_3 The sysvsem shared extension for php php52-sysvshm-5.2.13_3 The sysvshm shared extension for php php52-tokenizer-5.2.13_3 The tokenizer shared extension for php php52-xml-5.2.13_3 The xml shared extension for php php52-xmlreader-5.2.13_3 The xmlreader shared extension for php php52-xmlrpc-5.2.13_3 The xmlrpc shared extension for php php52-xmlwriter-5.2.13_3 The xmlwriter shared extension for php php52-xsl-5.2.13_3 The xsl shared extension for php php52-zip-5.2.13_3 The zip shared extension for php php52-zlib-5.2.13_3 The zlib shared extension for php sudo-1.7.4.4 Allow others to run commands as root </code> Sudoers: <code brush="plain"> www ALL=(root) NOPASSWD: /bin/ls </code> Script: sudo.php <code brush="php"> <pre><?php echo `/usr/local/bin/sudo /bin/ls 2>&1`; ?> </code> Sequence: # Set up apache22 # Patch sudoers to allow www (apache user) to run sudo without a password # Drop the reproduction script in the webdir # Visit it using a web browser Expected behaviour: * Browser should contain the output of ls in the directory containing the script: <verbatim> sudo.php </verbatim> Actual behaviour: * Browser spins waiting for the server to respond * PHP waits for backticks subprocess to complete * Something similar to this is seen in ps: <code brush="bash"> # ps axopid,ppid,user,state,command 5001 793 www I /bin/sh -c /usr/local/bin/sudo /bin/ls 2>&1 5002 5001 root I /usr/local/bin/sudo /bin/ls 5003 5002 root Z <defunct> </code> * The zombie process is 'ls' after it has finished, which is never reaped by sudo * If you kill -9 sudo, everything continues normally, and the browser contains the proper output (with 'Killed' added to the end since sudo was killed) * Downgrading to sudo-1.7.2.7 eliminates this aberrant behavour.
