From: Joe Orton <jorton@apache.org>
Date: Tue, 16 Apr 2019 12:58:37 +0000 (+0000)
Subject: Merge r1857626 from trunk:
X-Git-Tag: 2.4.40~142
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=112aea426eddc45a209556dbdc9bd31c15805265;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1857626 from trunk:

Add security note on CoreDumpDirectory for Linux.

Reviewed by: icing, elukey


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1857648 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mpm_common.xml b/docs/manual/mod/mpm_common.xml
index 4dfcea9c808..f5ae530c9d4 100644
--- a/docs/manual/mod/mpm_common.xml
+++ b/docs/manual/mod/mpm_common.xml
@@ -50,6 +50,17 @@ switch before dumping core</description>
     operating system is not configured to write core files to the working directory
     of the crashing processes.</p>
 
+    <note type="warning">
+      <title>Security note for Linux systems</title>
+
+      <p>Using this directive on Linux may allow other processes on
+      the system (if running with similar privileges, such as CGI
+      scripts) to attach to httpd children via the <code>ptrace</code>
+      system call.  This may make weaken the protection from certain
+      security attacks.  It is not recommended to use this directive
+      on production systems.</p>
+    </note>
+    
     <note><title>Core Dumps on Linux</title>
       <p>If Apache httpd starts as root and switches to another user, the
       Linux kernel <em>disables</em> core dumps even if the directory is