Is it insecure for the user to know the process id of a background script on my web server?



  • I was experiencing an issue on one of my webpages, where an AJAX call is made to another script on the server to generate some files for download. Depending on things like server load, number of files needed, etc., the call was timing out.

    I took the suggestion in this answer, and adjusted the code to make an initial AJAX call to start the script in the background, and then multiple repeated AJAX calls to query the status of it. When the initial AJAX call is made, the process id of the script is returned to the client, which is then used by the subsequent calls to check whether the script is still running.

    Does the fact that the client knows the actual pid of a process running on the server create any sort of security vulnerability?



  • pid has limited utility to derive information about the host's system state. Eg. low pid would indicate recent reboot, high pid a long running system (depending on the load and services). Attacker could constantly monitor your actual pid and make educated guess about uptime. Eg. predict if an important kernel security patch was applied or not.

    If the polling ajax call request isn't verified (eg. using HMAC) the attacker could scan the running process ids by forging the pid and repeating the call. That way the attacker could identify the long running processes (webserver, database pids).

    None of them seem to be very serious security problem to me, but it's better safe than sorry. You can easily encrypt the pid with a local secret if you like.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2