ngx_execute_proc
Ricardo Iramar dos Santos
riramar at gmail.com
Tue Aug 25 12:55:05 UTC 2015
I got it! Totally clear now.
So there's no problem with command injection here since the arguments
will be the same from the old process. :)
Thanks Tolga!
On Mon, Aug 24, 2015 at 3:55 PM, Tolga Ceylan <tolga.ceylan at gmail.com> wrote:
> On Sun, Aug 23, 2015 at 11:38 AM, Ricardo Iramar dos Santos
> <riramar at gmail.com> wrote:
>> Hi Tolga, thanks a lot for your replay! :)
>>
>> Searching on the source code I found that ngx_execute_proc() has been
>> declared and invoked inside src/os/unix/ngx_process.c.
>>
>> ricardo at matrix:~/Documents/nginx-1.9.3$ grep -ri ngx_execute_proc *
>> Binary file objs/src/os/unix/ngx_process.o matches
>> Binary file objs/nginx matches
>> src/os/unix/ngx_process.c:static void ngx_execute_proc(ngx_cycle_t
>> *cycle, void *data);
>> src/os/unix/ngx_process.c: return ngx_spawn_process(cycle,
>> ngx_execute_proc, ctx, ctx->name,
>> src/os/unix/ngx_process.c:ngx_execute_proc(ngx_cycle_t *cycle, void *data)
>>
>> The function ngx_execute_proc() is really small, take a look:
>>
>> static void
>> ngx_execute_proc(ngx_cycle_t *cycle, void *data)
>> {
>> ngx_exec_ctx_t *ctx = data;
>>
>> if (execve(ctx->path, ctx->argv, ctx->envp) == -1) {
>> ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno,
>> "execve() failed while executing %s \"%s\"",
>> ctx->name, ctx->path);
>> }
>>
>> exit(1);
>> }
>>
>> And this is the function which maybe ngx_execute_proc() is invoked.
>>
>> ngx_pid_t
>> ngx_execute(ngx_cycle_t *cycle, ngx_exec_ctx_t *ctx)
>> {
>> return ngx_spawn_process(cycle, ngx_execute_proc, ctx, ctx->name,
>> NGX_PROCESS_DETACHED);
>> }
>>
>> I didn't get yet where in the code of upgrading process touch the
>> functions above.
>> I didn't find in ngx_exec_new_binary() (/src/core/nginx.c) invoking
>> ngx_execute_proc() directly.
>> I'm trying to find a "command injection" vulnerabilities so I need to
>> trace the parameters "ctx->path, ctx->argv and ctx->envp" and where
>> the users input some data on them.
>>
>> Thanks!
>> Ricardo Iramar
>>
>
> Hi Ricardo,
>
> In nginx.c, ngx_exec_new_binary() calls ngx_execute(), which calls
> ngx_spawn_process() with "ngx_execute_proc" function pointer.
>
> This is all triggered via "new binary" signal. The signal handler will
> set "ngx_change_binary". ngx_master_process_cycle()
> checks if ngx_change_binary is set and call ngx_exec_new_binary().
>
> Hope this helps,
> Tolga
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
More information about the nginx-devel
mailing list