The following reply was made to PR mod_env/370; it has been noted by GNATS.
From: Marc Slemko <[EMAIL PROTECTED]> To: Apache bugs database <[EMAIL PROTECTED]> Subject: Re: mod_env/370: Modified PATH environemnt variable is not passed, instead system's is used (fwd) Date: Mon, 25 Aug 1997 00:21:55 -0600 (MDT) ---------- Forwarded message ---------- Date: Tue, 15 Apr 1997 10:32:00 -0500 From: "P. Alejandro Lopez-Valencia" <[EMAIL PROTECTED]> To: Marc Slemko <[EMAIL PROTECTED]> Subject: Re: mod_env/370: Modified PATH environemnt variable is not passed, instead system's is used Quoting: Re: mod_env/370: Modified PATH environemnt variable is not By: Marc Slemko Dated: 4/12/97 09:49 -0500 GMT > Ah, ok, that is worthy of consideration. I have been trying to get time > for a while to think over the whole way it is handled, including > documenting a few things. If no one else beats me to it, I'll look at > this when I get time... > > Thanks. > > On Sat, 12 Apr 1997, P. Alejandro Lopez-Valencia wrote: > > > On Sat, 12 Apr 1997, Marc Slemko wrote: > > > > > On Sat, 12 Apr 1997, P. Alejandro Lopez-Valencia wrote: > > > > > > > The use of a modified environemt PATH is not reflected in the > > > > actual $PATH passed to the CGI. It may constitute a security hole > > > > as the $PATH used is that of the owner of the parent process (root). > > > > > > What do you mean "modified path"? Who is modifying it? The path should > > > be that in effect when the server was started, or some default path if > > > there was none. Generally root's path is reasonably restrictive; if you > > > wish to modify it you should be able to use SetEnv or change the path > > > before you start httpd. > > > > > > > That is my problem.. I unset the path with UnSetEnv and redefine > > it with SetEnv, but the $PATH inherited by the server from root (I am > > using /bin/sh5 as its shell) is the one passed to the CGI environment. > > Hi, You got me thinking and have come up a suggestion. What if the path is defined internally to a sensible default (say, $APACHE_DIR/bin:/bin), the parent process path is ignored and internally assigned? Like this: $PATH="blah:blah" # Insecure, comes from root env, ignored. $HT_CGI_PATH="blah:blah" # Has a sensible default, can be redefined in srm.conf $PATH=$APACHE_PATH # Internally the server assigns $HT_CGI_PATH to $PATH. I guess this would close several possible backdoors. BTW, I am using the disallow ID module to disable any process spawning owned by root or a system user/group, it is not as safe as suexec I guess but it works for me. -- P. Alejandro L�pez-Valencia Ecologist Associate, International Center for Tropical Ecology at UM-St. Louis mailto:[EMAIL PROTECTED] *********** Most beatiful just before. ***********
