Bug#426426: suEXEC and SetEnv
On Sat, 2008-03-22 at 15:12 +0100, Stefan Fritsch wrote: On Monday 18 February 2008, Jack Bates wrote: I guess it'd be too complicated to ask for mod_env and suEXEC to cooperate, so if a user deliberately sets PERL5LIB in a .htaccess file, suEXEC passes it to the Perl CGI? This would require suexec to parse .htaccess files. This is not something we want. What about parsing a system config file (like suPHP parses /etc/suphp/suphp.conf) listing safe environment variables? BTW, you can set PERL5LIB in the BEGIN block of your perl cgi scripts. I don't see why this needs to be done in the .htaccess. The BEGIN block doesn't work for me because I'm running an application (Koha: http://koha.org/) with more than 100 scripts. Adding BEGIN blocks to each script isn't viable... Thanks for your suggestion, Jack signature.asc Description: This is a digitally signed message part
Bug#426426: suEXEC and SetEnv
On Monday 18 February 2008, Jack Bates wrote: I guess it'd be too complicated to ask for mod_env and suEXEC to cooperate, so if a user deliberately sets PERL5LIB in a .htaccess file, suEXEC passes it to the Perl CGI? This would require suexec to parse .htaccess files. This is not something we want. BTW, you can set PERL5LIB in the BEGIN block of your perl cgi scripts. I don't see why this needs to be done in the .htaccess. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#426426: suEXEC and SetEnv
I guess it'd be too complicated to ask for mod_env and suEXEC to cooperate, so if a user deliberately sets PERL5LIB in a .htaccess file, suEXEC passes it to the Perl CGI? From what you say, I guess this still violates the suEXEC security model, where the suEXEC suid tool is designed to protect the user from compromised Apache / mod_env... In my case I'm not worried about PERL5LIB, so I wish suEXEC were configurable, like suPHP Thanks, Jack signature.asc Description: This is a digitally signed message part