You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/09/28 17:22:33 UTC
[Bug 55607] New: Re-set HOME environment variable to directory from
pw
https://issues.apache.org/bugzilla/show_bug.cgi?id=55607
Bug ID: 55607
Summary: Re-set HOME environment variable to directory from pw
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_suexec
Assignee: bugs@httpd.apache.org
Reporter: ahti333+apachebugs@gmail.com
I think it is pretty inconvenient that one can't refer to the HOME environment
variable in SuExec'd scripts.
SuExec already gets the target users pw information (and his home directory)
while performing security checks. It would be reasonable, imho, to set the HOME
env variable to this value.
I can not come up with any way how this could impact security, a script could
do this lookup itself (although this is annoying, because most libraries rely
on the HOME variable being set), so this would not expose any additional
information.
I would suggest to add something like this (code not tested):
/*
* Add the Home-directory from pw to the environment
*/
{
char **ep;
char homebuf[256];
sprintf(homebuf, "HOME=%s", target_homedir);
ep = environ;
while (*ep != NULL) ++ep;
*ep = strdup(homebuf);
if (*ep == NULL) {
log_err("failed to malloc memory for environment\n");
exit(124);
}
*(ep + 1) = NULL;
}
at line 472 in suexec.c
What do You think?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org