Debian Bug report logs - #925472
apache2: AuthLDAPBindPassword with exec: variant: child processes not properly destroyed

version graph

Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <[email protected]>;

Reported by: Salvatore Bonaccorso <[email protected]>

Date: Mon, 25 Mar 2019 15:24:02 UTC

Severity: normal

Tags: upstream

Found in versions apache2/2.4.25-3+deb9u6, apache2/2.4.25-3

Forwarded to https://bz.apache.org/bugzilla/show_bug.cgi?id=61817

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], Debian Apache Maintainers <[email protected]>:
Bug#925472; Package src:apache2. (Mon, 25 Mar 2019 15:24:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <[email protected]>:
New Bug report received and forwarded. Copy sent to [email protected], [email protected], [email protected], [email protected], [email protected], Debian Apache Maintainers <[email protected]>. (Mon, 25 Mar 2019 15:24:04 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Salvatore Bonaccorso <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: apache2: AuthLDAPBindPassword with exec: variant: child processes not properly destroyed
Date: Mon, 25 Mar 2019 16:20:51 +0100
Source: apache2
Version: 2.4.25-3+deb9u6
Severity: normal
Tags: upstream
Forwarded: https://bz.apache.org/bugzilla/show_bug.cgi?id=61817
Control: found -1 2.4.25-3

Hi

When using a setup using for mod_authnz_ldap the AuthLDAPBindPassword
directive specifically with the exec: variant as documented in [1], a
respective child process is not destroyed correctly.

To reproduce the issue within a .htaccess file (we managed to
reproduce in .htaccess context but not in a directory context)

> AuthType Basic
> AuthName "Restricted access"
> AuthBasicProvider ldap
> 
> AuthLDAPURL $url
> AuthLDAPBindDN $binddn
> AuthLDAPBindPassword "exec:/bin/cat /path/to/ldap/passwd"
> 
> Require valid-user

is enough, resulting in defunct processes

[...]
S www-data 145731  82080  0  80   0 13016 223273 -     13:50 ?        00:00:00  \_ /usr/sbin/apache2 -k start
Z www-data 151575 145731  0  80   0     0     0 -      14:21 ?        00:00:00  |   \_ [cat] <defunct>
S www-data 145732  82080  0  80   0 13980 223674 -     13:50 ?        00:00:00  \_ /usr/sbin/apache2 -k start
Z www-data 151686 145732  0  80   0     0     0 -      14:22 ?        00:00:00      \_ [cat] <defunct>
[...]

The issue has been submitted upstream already in [2] with a tentative
patch, but it looks the issue got not yet adressed upstream.

Regards,
Salvatore

 [1] http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#AuthLDAPBindPassword 
 [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61817

Marked as found in versions apache2/2.4.25-3. Request was from Salvatore Bonaccorso <[email protected]> to [email protected]. (Mon, 25 Mar 2019 15:24:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Mon Nov 11 14:21:23 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.