The following reply was made to PR mod_env/370; it has been noted by GNATS.
From: "P. Alejandro Lopez-Valencia" <[EMAIL PROTECTED]>
To: Marc Slemko <[EMAIL PROTECTED]>
Subject: Re: mod_env/370: Modified PATH environemnt variable is not passed,
instead system's is used
Date: Sat, 12 Apr 1997 09:44:56 -0700 (PDT)
On Sat, 12 Apr 1997, Marc Slemko wrote:
> On Sat, 12 Apr 1997, P. Alejandro Lopez-Valencia wrote:
>
> > The use of a modified environemt PATH is not reflected in the
> > actual $PATH passed to the CGI. It may constitute a security hole
> > as the $PATH used is that of the owner of the parent process (root).
>
> What do you mean "modified path"? Who is modifying it? The path should
> be that in effect when the server was started, or some default path if
> there was none. Generally root's path is reasonably restrictive; if you
> wish to modify it you should be able to use SetEnv or change the path
> before you start httpd.
>
That is my problem.. I unset the path with UnSetEnv and redefine
it with SetEnv, but the $PATH inherited by the server from root (I am
using /bin/sh5 as its shell) is the one passed to the CGI environment.
--
P. Alejandro Lopez-Valencia Ecologist
Associate
International Center for Tropical Ecology at UM-St. Louis
[EMAIL PROTECTED]
[EMAIL PROTECTED]
http://ecology.umsl.edu/~palopez/
******** Most beatiful just before. ********
