Received: (from majordom@localhost) by hyperreal.com (8.8.4/8.8.4) id FAA21032; Sun, 13 Apr 1997 05:12:29 -0700 (PDT) Received: from originat.demon.co.uk (originat.demon.co.uk [158.152.220.9]) by hyperreal.com (8.8.4/8.8.4) with ESMTP id FAA21028 for ; Sun, 13 Apr 1997 05:12:24 -0700 (PDT) Received: (from paul@localhost) by originat.demon.co.uk (8.8.5/8.6.9) id NAA06021; Sun, 13 Apr 1997 13:16:10 +0100 (BST) To: Marc Slemko Cc: apache-bugdb@apache.org Subject: Re: mod_env/370: Modified PATH environemnt variable is not passed, instead system's is used References: <199704121440.HAA24996@hyperreal.com> From: Paul Richards Date: 13 Apr 1997 13:16:10 +0100 In-Reply-To: Marc Slemko's message of Sat, 12 Apr 1997 07:40:01 -0700 (PDT) Message-ID: <87yban86et.fsf@originat.demon.co.uk> Lines: 26 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: apache-bugdb-owner@apache.org Precedence: bulk Marc Slemko writes: > On Sat, 12 Apr 1997, P. Alejandro Lopez-Valencia wrote: > > > The use of a modified environemt PATH is not reflected in the > > actual $PATH passed to the CGI. It may constitute a security hole > > as the $PATH used is that of the owner of the parent process (root). > > What do you mean "modified path"? Who is modifying it? The path should > be that in effect when the server was started, or some default path if > there was none. Generally root's path is reasonably restrictive; if you > wish to modify it you should be able to use SetEnv or change the path > before you start httpd. We recently ran into this at work. I don't see any reason to pass the $PATH onto scripts at all. Any scripts that depend on the $PATH aren't written robustly enough amd should be corrected to not rely on the server's environement. Most security breaches are due to admin error so as far as possible programs should take this into account. -- Dr Paul Richards, Originative Solutions Ltd. Internet: paul@originat.demon.co.uk Phone: 0370 462071 (UK Mobile)