httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jez Hancock <jez.hanc...@munk.nu>
Subject Re: [users@httpd] Apache / apachectl environment sanity
Date Thu, 13 Nov 2003 17:36:13 GMT
On Thu, Nov 13, 2003 at 12:20:04PM -0500, Joshua Slive wrote:
> 
> On Thu, 13 Nov 2003, Jez Hancock wrote:
> > The issue is with the apachectl script not starting the httpd in a clean
> > environment, leading to the shell environment of the user that invoked
> > the apachectl script being available to other apache modules (PHP for
> > one).
> >
> > In the case of PHP the environment of the apachectl-invoking-user
> > is available _by default_ in the $_ENV superglobals array.
> >
> > The simple solution I'm using right now (along with many others no
> > doubt) is to simply add the following to my (freebsd specific) apachectl
> > script:
> 
> > - HTTPD=`echo /usr/bin/env -i $HTTPD`
> 
> Although this is a perfectly valid thing to do for some people, I think
> you are right that this won't be of interest for the average apache user.
> In fact, many people rely on the ability to set the apache environment.
I thought it might be a bit too much to force on people, best to check
first.

> Perhaps somewhere in the docs (apachectl or httpd) we should just put a
> note reminding people to be aware of the environment that are using when
> they launch apache.
A note in the security section of the docs might be good, I can't
remember reading about it there, although it's been a while since I
perused that doc :P

Come to think of it I don't think it was in there I did do a bit of
googling originally when I found my IRCNICK in the $_ENV array in a
phpinfo() call(!) to find out how to stop the invoking user's env being
inherited and didn't come across any refs to it on the apache.org domain
(I think there were a few refs to the issue on the php mail list
though).

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message