You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Jim Jagielski <ji...@jaguNET.com> on 1997/11/23 23:26:04 UTC

Environment

Urm... Should Apache clear-out it's environment when it does the
setuid() call?

Not sure if this is the case with standard CGIs, but when using
the PHP module, the <?phpinfo()> call displays the _root_
environment since the parent process runs as root and this
isn't clear out by the children... This gives me the willies.
-- 
====================================================================
      Jim Jagielski            |       jaguNET Access Services
     jim@jaguNET.com           |       http://www.jaguNET.com/
            "Look at me! I'm wearing a cardboard belt!"

Re: Environment

Posted by Alexei Kosut <ak...@leland.Stanford.EDU>.

On Sun, 23 Nov 1997, Marc Slemko wrote:

> On Sun, 23 Nov 1997, Jim Jagielski wrote:
> 
> > Urm... Should Apache clear-out it's environment when it does the
> > setuid() call?
> 
> I don't see why.

Agreed. If the module has access to the ps command, it can look at the
root environment anyway, so I don't see this as a large problem.

-- Alexei Kosut <ak...@stanford.edu> <http://www.stanford.edu/~akosut/>
   Stanford University, Class of 2001 * Apache <http://www.apache.org> *

Re: Environment

Posted by Marc Slemko <ma...@worldgate.com>.

On Sun, 23 Nov 1997, Jim Jagielski wrote:

> Urm... Should Apache clear-out it's environment when it does the
> setuid() call?

I don't see why.

> 
> Not sure if this is the case with standard CGIs, but when using

No it isn't.  The environment passed to other processes is restricted.

> the PHP module, the <?phpinfo()> call displays the _root_
> environment since the parent process runs as root and this
> isn't clear out by the children... This gives me the willies.

Clearing the environment would break things like this that needed a
particular value set unless you modified PassEnv or something to have a
dual purpose.

Re: Environment

Posted by Dean Gaudet <dg...@arctic.org>.

We could recommend users use the "env" command to build an appropriate
environment themselves:

env - \
    PATH=/usr/local/bin:/bin:/usr/bin \
    SHELL=/bin/sh \
    /var/www/bin/httpd -d /var/www

Dean

On Sun, 23 Nov 1997, Jim Jagielski wrote:

> Urm... Should Apache clear-out it's environment when it does the
> setuid() call?