COMMAND
AnswerBook2
SYSTEMS AFFECTED
Sun AnswerBook2
PROBLEM
Dave Monnier found following. Sun AnswerBook2 ships with a HTTP
server (dwhttpd, DynaWeb's httpd) that allows users to access
Solaris documentation using a web browser. By default the server
listens on port 8888.
Sun's Answerbook fails under certain conditions to delete
temporary files that are built by its print function, filling
/tmp, and causing the system to fail because processes cannot
fork. Briefly, the dwhttp print function builds Postscript files
in /tmp and downloads them to the user's browser. It deletes
Postscript files after they are successfully sent to the browser.
It fails to delete postcript files if the requesting TCP
connection is broken before files are completely built and sent
to the browser. Undeleted files can be large, and they are more
likely to be large than small. First, some printed documents are
in excess of 50mb. Second, users often abort print requests for
large documents because the requests require a long time to
fulfill and users believe that their requests have failed. Users
often try again. Relatively few large requests are necessary to
fill a reasonably sized /tmp directory. When /tmp fills Solaris
fails because /tmp is used for swap. If/when /tmp fills, swap
space eventually also fills preventing additional procesees from
being swapped. Eventually system memory will fill causing a
failure of process spawning alltogether.
So far as we know it is not possible to configure the Answerbook
dwhttp server to use a directory other than /tmp for generating
Postscript.
SOLUTION
No official fix. Non-malicious use of Answerbook can be prevented
from crashing Solaris by a cron job that cleans Answerbook
Postscript files from /tmp very frequently. A suitable frequency
depends upon the size of /tmp, the amount of swapping activity on
a system and demand for Answerbook. Answerbook Postscript files
can be globbed using dweb*.ps.
The only known safe-guard against malicious attack is to shutdown
Answerbook.