https://issues.apache.org/bugzilla/show_bug.cgi?id=55607
Bug ID: 55607
Summary: Re-set HOME environment variable to directory from pw
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_suexec
Assignee: [email protected]
Reporter: [email protected]
I think it is pretty inconvenient that one can't refer to the HOME environment
variable in SuExec'd scripts.
SuExec already gets the target users pw information (and his home directory)
while performing security checks. It would be reasonable, imho, to set the HOME
env variable to this value.
I can not come up with any way how this could impact security, a script could
do this lookup itself (although this is annoying, because most libraries rely
on the HOME variable being set), so this would not expose any additional
information.
I would suggest to add something like this (code not tested):
/*
* Add the Home-directory from pw to the environment
*/
{
char **ep;
char homebuf[256];
sprintf(homebuf, "HOME=%s", target_homedir);
ep = environ;
while (*ep != NULL) ++ep;
*ep = strdup(homebuf);
if (*ep == NULL) {
log_err("failed to malloc memory for environment\n");
exit(124);
}
*(ep + 1) = NULL;
}
at line 472 in suexec.c
What do You think?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
