www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m...@apache.org
Subject Re: suexec/4709: SuExec doesn't allow LD_LIBRARY_PATH to be a part of "safe_env_lst"
Date Thu, 08 Jul 1999 16:24:44 GMT
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]


Synopsis: SuExec doesn't allow LD_LIBRARY_PATH to be a part of "safe_env_lst"

State-Changed-From-To: open-closed
State-Changed-By: marc
State-Changed-When: Thu Jul  8 09:24:44 PDT 1999
State-Changed-Why:
The whole point of the restriction of what environment
variables can be passed to CGIs is to stop things like
LD_LIBRARY_PATH.  It is a security hole to allow LD_LIBRARY_PATH
to be passed through, because it means that if someone can
get access to the UID that can run suexec then they can
execute arbitrary (ie. not just set CGIs) code as any user
that suexec will use.


Mime
View raw message