You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jim Jagielski <ji...@jaguNET.com> on 1997/11/23 23:26:04 UTC
Environment
Urm... Should Apache clear-out it's environment when it does the
setuid() call?
Not sure if this is the case with standard CGIs, but when using
the PHP module, the <?phpinfo()> call displays the _root_
environment since the parent process runs as root and this
isn't clear out by the children... This gives me the willies.
--
====================================================================
Jim Jagielski | jaguNET Access Services
jim@jaguNET.com | http://www.jaguNET.com/
"Look at me! I'm wearing a cardboard belt!"
Re: Environment
Posted by Alexei Kosut <ak...@leland.Stanford.EDU>.
On Sun, 23 Nov 1997, Marc Slemko wrote:
> On Sun, 23 Nov 1997, Jim Jagielski wrote:
>
> > Urm... Should Apache clear-out it's environment when it does the
> > setuid() call?
>
> I don't see why.
Agreed. If the module has access to the ps command, it can look at the
root environment anyway, so I don't see this as a large problem.
-- Alexei Kosut <ak...@stanford.edu> <http://www.stanford.edu/~akosut/>
Stanford University, Class of 2001 * Apache <http://www.apache.org> *
Re: Environment
Posted by Marc Slemko <ma...@worldgate.com>.
On Sun, 23 Nov 1997, Jim Jagielski wrote:
> Urm... Should Apache clear-out it's environment when it does the
> setuid() call?
I don't see why.
>
> Not sure if this is the case with standard CGIs, but when using
No it isn't. The environment passed to other processes is restricted.
> the PHP module, the <?phpinfo()> call displays the _root_
> environment since the parent process runs as root and this
> isn't clear out by the children... This gives me the willies.
Clearing the environment would break things like this that needed a
particular value set unless you modified PassEnv or something to have a
dual purpose.
Re: Environment
Posted by Dean Gaudet <dg...@arctic.org>.
We could recommend users use the "env" command to build an appropriate
environment themselves:
env - \
PATH=/usr/local/bin:/bin:/usr/bin \
SHELL=/bin/sh \
/var/www/bin/httpd -d /var/www
Dean
On Sun, 23 Nov 1997, Jim Jagielski wrote:
> Urm... Should Apache clear-out it's environment when it does the
> setuid() call?