You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jez Hancock <je...@munk.nu> on 2003/11/13 18:16:40 UTC
[users@httpd] Apache / apachectl environment sanity
Hi,
I wanted to get some opinions on this subject before I submit a problem
report to bugzilla. My feeling is that submitting a new 'bug' to
bugzilla may not be worthwhile here, firstly because it's not actually a
bug at all and secondly because the proposed 'fix' may well break other
things. In fact there are other reasons I can think of as well right
now ... still here goes...
The issue is with the apachectl script not starting the httpd in a clean
environment, leading to the shell environment of the user that invoked
the apachectl script being available to other apache modules (PHP for
one).
In the case of PHP the environment of the apachectl-invoking-user
is available _by default_ in the $_ENV superglobals array.
The simple solution I'm using right now (along with many others no
doubt) is to simply add the following to my (freebsd specific) apachectl
script:
-snip-
*** /usr/local/sbin/apachectl Thu Nov 13 06:59:05 2003
--- /usr/local/sbin/apachectl.bak Thu Nov 13 06:58:54 2003
***************
*** 26,32 ****
#
# the path to your httpd binary, including options if necessary
HTTPD=/usr/local/sbin/httpd
- HTTPD=`echo /usr/bin/env -i $HTTPD`
#
# a command that outputs a formatted text version of the HTML at the
# url given on the command line. Designed for lynx, however other
--- 26,31 ----
-snip-
which sanitizes the httpd environment as expected.
Is it worth submitting a problem report via bugzilla for this or
would it be too problematic? I understand some modules do use
environment variables to operate and that 'env' is not always available
on all platforms - as such it could be a pain.
Cheers.
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTP RFCs
Posted by Brian Dessent <br...@dessent.net>.
Cody Harris wrote:
>
> Could somebody direct me to where i can can see the HTTP standards on what should be included on a request and what should be included on the response.
HTTP/1.1 is RFC 2616. http://www.w3.org/Protocols/rfc2616/rfc2616.html
Brian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] HTTP RFCs
Posted by Richard Correia <ri...@ugamsolutions.com>.
http://www.w3.org/Protocols/rfc2616/rfc2616.html
Rich
-----Original Message-----
From: Cody Harris [mailto:hchs@ns.sympatico.ca]
Sent: Friday, November 14, 2003 4:29 AM
To: users@httpd.apache.org
Subject: [users@httpd] HTTP RFCs
Could somebody direct me to where i can can see the HTTP standards on
what should be included on a request and what should be included on the
response.
Thanks!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] HTTP RFCs
Posted by Cody Harris <hc...@ns.sympatico.ca>.
Could somebody direct me to where i can can see the HTTP standards on what should be included on a request and what should be included on the response.
Thanks!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache / apachectl environment sanity
Posted by Jez Hancock <je...@munk.nu>.
On Thu, Nov 13, 2003 at 12:20:04PM -0500, Joshua Slive wrote:
>
> On Thu, 13 Nov 2003, Jez Hancock wrote:
> > The issue is with the apachectl script not starting the httpd in a clean
> > environment, leading to the shell environment of the user that invoked
> > the apachectl script being available to other apache modules (PHP for
> > one).
> >
> > In the case of PHP the environment of the apachectl-invoking-user
> > is available _by default_ in the $_ENV superglobals array.
> >
> > The simple solution I'm using right now (along with many others no
> > doubt) is to simply add the following to my (freebsd specific) apachectl
> > script:
>
> > - HTTPD=`echo /usr/bin/env -i $HTTPD`
>
> Although this is a perfectly valid thing to do for some people, I think
> you are right that this won't be of interest for the average apache user.
> In fact, many people rely on the ability to set the apache environment.
I thought it might be a bit too much to force on people, best to check
first.
> Perhaps somewhere in the docs (apachectl or httpd) we should just put a
> note reminding people to be aware of the environment that are using when
> they launch apache.
A note in the security section of the docs might be good, I can't
remember reading about it there, although it's been a while since I
perused that doc :P
Come to think of it I don't think it was in there I did do a bit of
googling originally when I found my IRCNICK in the $_ENV array in a
phpinfo() call(!) to find out how to stop the invoking user's env being
inherited and didn't come across any refs to it on the apache.org domain
(I think there were a few refs to the issue on the php mail list
though).
--
Jez Hancock
- System Administrator / PHP Developer
http://munk.nu/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache / apachectl environment sanity
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 13 Nov 2003, Jez Hancock wrote:
> The issue is with the apachectl script not starting the httpd in a clean
> environment, leading to the shell environment of the user that invoked
> the apachectl script being available to other apache modules (PHP for
> one).
>
> In the case of PHP the environment of the apachectl-invoking-user
> is available _by default_ in the $_ENV superglobals array.
>
> The simple solution I'm using right now (along with many others no
> doubt) is to simply add the following to my (freebsd specific) apachectl
> script:
> - HTTPD=`echo /usr/bin/env -i $HTTPD`
Although this is a perfectly valid thing to do for some people, I think
you are right that this won't be of interest for the average apache user.
In fact, many people rely on the ability to set the apache environment.
Perhaps somewhere in the docs (apachectl or httpd) we should just put a
note reminding people to be aware of the environment that are using when
they launch apache.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org