httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: Environment
Date Sun, 23 Nov 1997 22:53:55 GMT
On Sun, 23 Nov 1997, Jim Jagielski wrote:

> Marc Slemko wrote:
> > 
> > On Sun, 23 Nov 1997, Jim Jagielski wrote:
> > 
> > > Urm... Should Apache clear-out it's environment when it does the
> > > setuid() call?
> > 
> > I don't see why.
> > 
> > > 
> > > Not sure if this is the case with standard CGIs, but when using
> > 
> > No it isn't.  The environment passed to other processes is restricted.
> > 
> > > the PHP module, the <?phpinfo()> call displays the _root_
> > > environment since the parent process runs as root and this
> > > isn't clear out by the children... This gives me the willies.
> > 
> > Clearing the environment would break things like this that needed a
> > particular value set unless you modified PassEnv or something to have a
> > dual purpose.
> > 
> 
> Aren't there some ENV settings that are known to be semi-dangerous?
> I seem to recall something about LD_LIBRARY or something like that.
> 'Course, since we're running as httpd and not root, I guess that
> minimizes stuff.

They can be dangerous, but they can't be magically set by just anyone and
they can also be necessary.  Just chopping everything off at the knees can
break things.  Any variable set has been set before the server was
started.

For external processes, we set a limited subset of variables.

For modules it is somewhat difficult, but I don't see that having Apache
clean everything out is a good solution.


Mime
View raw message