You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by George Hartz <ge...@blowtorch.com> on 1998/11/19 18:05:06 UTC

suexec/3425: mod_env and suexec don't coexist

>Number:         3425
>Category:       suexec
>Synopsis:       mod_env and suexec don't coexist
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Thu Nov 19 09:10:01 PST 1998
>Last-Modified:
>Originator:     georgeh@blowtorch.com
>Organization:
apache
>Release:        1.3.*
>Environment:
Alpha RedHat 5.1, Linux 2.0.34, gcc 2.7.2.3
>Description:
I've noticed after some experimenting today that mod_env and suexec don't really coexist with each other.

I've been trying to pass environment variables to virtual hosts for the benefit of CGI's, so certain configuration options can be set in the virtual host configuration and CGI's will work on any virtual host on the server without using configuration files.

The problem is suexec strips out non-standard environment variables. This is an understandable feature, and I could easily enough add the half-dozen other environment variables I currently need into the source for suexec, but its a bit of a kludge.

		
>How-To-Repeat:

>Fix:
My thought was to add a fifth parameter to suexec taking a list of additional "safe" environment variables, a list that could be generated by mod_env when the variables get set for the virtual hosts.
suexec would allow its predefined variables through, plus the ones given to it, perhaps as a simple comma separated list.

I'm not sure what impact this might have on system security. It would obviously damage it significantly if mismanaged, but it may be a useful feature to have.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]