[You forgot to cc: the list]
On Fri, Jan 11, 2008 at 03:24:32PM -0500, Alan Pinstein wrote:
On Jan 11, 2008, at 3:02 PM, Luis Rodrigo Gallardo Cruz wrote:
On Fri, Jan 11, 2008 at 02:31:58PM -0500, Alan Pinstein wrote:
Hi All- [ Stunnel listens on ports it shouldn't ]
If I start up stunnel from the command line as "root" or another user even, it only listens on the port listed in the conf file.
Could you have some startup script that's automatically getting run with your logrotate scripts?
The problem happens the MOMENT stunnel starts. It has nothing to do with the logrotate scripts.
Oh, sorry, I got confused. (/me goes and re-reads the original mail ...)
I've done a bunch of debugging and can't figure out what's going on. I have only one guess: stunnel automatically listens on any ports that the process calling stunnel is listening on, in some sort of attempt to seamlessly add SSL to existing daemons. I can't find any docs or tell from the source code, but it's the only idea I can't rule out...
All this is in a *nix, right?
The following is an educated guess:
Open connections are open file descriptors, and fork()/exec() do not close open file descriptors. Thus, stunnel is inheriting the open connection. And, since it knows nothing about it, it does not close it or anything like that. So it's not that it activelly listens on it, but only that it does not bother to stop. You might check this theory by trying to connect to the port *after* apache is shut down. If I'm right you should get no answer at all.
So, the solution is to have the file descriptors close when exec'ing stunnel. PHP or apache might have some option somewhere to do that (look for "close on exec" or something similarly named), but if not, you might have to write some sort of wrapper to do it. It's a messy thing, because AFAIK there's no clean way to do it short of
for (i = 0; i < [some-hopefuly-large-enough-value]; i++) close(i);
where the [large-enough-value] is determined by your system's file descriptor limit and your desire not to loop all the way to 2^32 or something.