apache2: Apache2 weird forks (owned by root)
Bug #26607 reported by
Debian Bug Importer
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Debian) |
Fix Released
|
Unknown
|
|||
apache2 (Ubuntu) |
Fix Released
|
High
|
Ubuntu Server |
Bug Description
Automatically imported from Debian bug report #342141 http://
Changed in apache2: | |
status: | New → Incomplete |
Changed in apache2: | |
assignee: | adconrad → ubuntu-server |
Changed in apache2: | |
status: | New → Incomplete |
Changed in apache2: | |
status: | Incomplete → Fix Released |
To post a comment you must log in.
Message-Id: <email address hidden>
Date: Mon, 05 Dec 2005 20:47:54 +0200
From: Fotos Georgiadis <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apache2: Apache2 weird forks (owned by root)
Package: apache2
Version: 2.0.54-5
Severity: grave
Tags: security
Justification: renders package unusable
(What follow is the original messege I posted first on
the <email address hidden>, but no-one replied after a few days.
So now I report this as a Debian bug...)
Hello!
A strange problem occurs in our apache 2 installation. I have the
prefork MPM where the expected (and documented) behavior is one root
process open for managing the privileges ports (etc.) that spawns
children, with the privileges of the User and Group directives
specified (www-data in my case), in order to serve the requests.
Well, in our system what happens in that the children also have root
privileges despite the User www-data option. But what is more strange
is that this doesn't happen all the time. Sometimes the server starts
with 3 children owned by www-data and the rest 2 (out of a
MinSpareServers 5) are owned by root. The number varies between
restarts from all owned by root to all owned by www-data. (Don't
mention the security implications of the situation).
Processes owned by root are not serving pages (nor that I would want
the root user to serve pages...), and that means the capabilities of
the server are reduced. When all processes are owned by root, and a
client opens a connection it hangs there indefinitely. When only 1 or
2 processes are owned by www-data the server is really slow,
otherwise it behaves nicely under a moderate load.
Also issuing a reload (apache2ctl graceful) seems to zombie the child
processes and only SIGKILL can make them rest in peace. The problem
possibly lies in the forking section of apache 2. Killing the root-
owned children spawns new, sometimes owned by root, sometimes owned
by www-data. Killing enough root processes eventually allows us to
have all processes owned by www-data!
Now that I explained the situation and the problem, details about the
system follow:
Debian Sarge (3.1) up to date
Standard debian package for apache 2: MPM_DIR= "server/ mpm/prefork" SYSVSEM_ SERIALIZE PTHREAD_ SERIALIZE LISTEN_ UNSERIALIZED_ ACCEPT RELIABLE_ PIPED_LOGS BIN="/usr/ lib/apache2/ suexec2" PIDLOG= "/var/run/ httpd.pid" SCOREBOARD= "logs/apache_ runtime_ status" LOCKFILE= "/var/run/ accept. lock" ERRORLOG= "logs/error_ log" CONFIG_ FILE="/ etc/apache2/ mime.types" CONFIG_ FILE="/ etc/apache2/ apache2. conf"
% apache2ctl -V:
Server version: Apache/2.0.54
Server built: Sep 5 2005 11:15:09
Server's Module Magic Number: 20020903:9
Architecture: 32-bit
Server compiled with....
-D APACHE_
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_
-D APR_USE_
-D SINGLE_
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_
-D HTTPD_ROOT=""
-D SUEXEC_
-D DEFAULT_
-D DEFAULT_
-D DEFAULT_
-D DEFAULT_
-D AP_TYPES_
-D SERVER_
Using the prefork MPM as already mentioned.
Server signature and other modules:
Apache/2.0.54 (Debian GNU/Linux)
PHP/4.3.10-16
mod_ssl/2.0.54
OpenSSL/0.9.7e...