path for user www
How can one change the PATH for the user www ? to include e.g. /usr/local/bin In /etc/passwd the entry now is: www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
path for user www
Pieter Donche writes: How can one change the PATH for the user www ? to include e.g. /usr/local/bin In /etc/passwd the entry now is: www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin Start by reading the section 5 man page for passwd. Could you provide a little more detail about what's breaking and why you think this user's path is involved? Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: path for user www
On Mon, 15 Jun 2009, Robert Huff wrote: Pieter Donche writes: How can one change the PATH for the user www ? to include e.g. /usr/local/bin In /etc/passwd the entry now is: www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin Start by reading the section 5 man page for passwd. Could you provide a little more detail about what's breaking and why you think this user's path is involved? Robert Huff Some users on my system run scripts in their webpages. If they specify commands (e.g.) 'python', it is not found, unless it is specified as '/usr/local/bin/python', since the Apache runs in an environment which has as PATH: (as can be seen from phpinfo() output) /sbin:/bin:/usr/sbin:/usr:bin only. How can one make the PATH that Apache httpd deamon will use be a different path? and where exaclty does it get /sbin:/bin:/usr/sbin:/usr:bin from in the first place? I could try specifying in /usr/local/sbin/apachectl 's Bourne shell script: PATH=/sbin:/bin:/usr/sbin:/usr:bin:/usr/local/sbin:/usr/local/bin export PATH but wouldn't this be set back to the original at an Apache update? root has a better path: PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin how could I have httpd have the same path? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: path for user www
On Mon, Jun 15, 2009 at 3:16 PM, Pieter Donche pieter.don...@ua.ac.bewrote: On Mon, 15 Jun 2009, Robert Huff wrote: Pieter Donche writes: How can one change the PATH for the user www ? to include e.g. /usr/local/bin In /etc/passwd the entry now is: www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin Start by reading the section 5 man page for passwd. Could you provide a little more detail about what's breaking and why you think this user's path is involved? Robert Huff Some users on my system run scripts in their webpages. If they specify commands (e.g.) 'python', it is not found, unless it is specified as '/usr/local/bin/python', since the Apache runs in an environment which has as PATH: (as can be seen from phpinfo() output) /sbin:/bin:/usr/sbin:/usr:bin only. How can one make the PATH that Apache httpd deamon will use be a different path? and where exaclty does it get /sbin:/bin:/usr/sbin:/usr:bin from in the first place? I could try specifying in /usr/local/sbin/apachectl 's Bourne shell script: PATH=/sbin:/bin:/usr/sbin:/usr:bin:/usr/local/sbin:/usr/local/bin export PATH but wouldn't this be set back to the original at an Apache update? root has a better path: PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin how could I have httpd have the same path? Hello Pieter, I guess you are looking for apache's SetEnv directive: http://httpd.apache.org/docs/1.3/mod/mod_env.html#setenv a great day, v -- network warrior since 2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: path for user www
On Mon, 15 Jun 2009, Valentin Bud wrote: On Mon, Jun 15, 2009 at 3:16 PM, Pieter Donche pieter.don...@ua.ac.be wrote: On Mon, 15 Jun 2009, Robert Huff wrote: Pieter Donche writes: How can one change the PATH for the user www ? to include e.g. /usr/local/bin In /etc/passwd the entry now is: www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin Start by reading the section 5 man page for passwd. Could you provide a little more detail about what's breaking and why you think this user's path is involved? Robert Huff Some users on my system run scripts in their webpages. If they specify commands (e.g.) 'python', it is not found, unless it is specified as '/usr/local/bin/python', since the Apache runs in an environment which has as PATH: (as can be seen from phpinfo() output) /sbin:/bin:/usr/sbin:/usr:bin only. How can one make the PATH that Apache httpd deamon will use be a different path? and where exaclty does it get /sbin:/bin:/usr/sbin:/usr:bin from in the first place? I could try specifying in /usr/local/sbin/apachectl 's Bourne shell script: PATH=/sbin:/bin:/usr/sbin:/usr:bin:/usr/local/sbin:/usr/local/bin export PATH but wouldn't this be set back to the original at an Apache update? root has a better path: PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bi n:/root/bin how could I have httpd have the same path? Hello Pieter, I guess you are looking for apache's SetEnv directive: http://httpd.apache.org/docs/1.3/mod/mod_env.html#setenv (I use apache 2.2.11) 1. I noticed that when I do a # apachectl graceful from within a root shell, then the PATH env. var. for Apache Environment as reported by phpinfo() is equal to the PATH setting of my root user. (/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin) Probably when rebooting the machine, PATH will be set to a very limited /sbin:/bin:/usr/sbin:/usr/bin (where does this come from?) Now I see from reading the apache start-up script /usr/local/sbin/apachectl that one can create a file with instructions to be executed at startup of Apache: any file in /usr/local/etc/apache22/envvars.d is sourced into the start up environment of apache. This directory was empty for the moment. So I could put in there a file, /usr/local/etc/apache22/envvars.d/mysettings PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin export PATH # apachectl graceful however this did not change the phpinfo() reported PATH, it remained the same as my root path 2. I also tried, as you suggested # vi /etc/httpd.conf ... SetEnv TEST_ENV_VARfoo-foo SetEnv PATH/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin (the first SetEnv is just to see if it indeed sets Env. vars.) # apachectl graceful The TEST_ENV_VAR foo-foo is reported But again PATH remains the same as my root path. Does this mean when executing # apachectl graceful from within a root shell PATH will ALWAYS be overridden by the value of PATH of the root shell? I don't see what rules of precedence acutally apply ... Anyone can explain me? And will SetEnv in /etc/httpd.conf also work at boot ??? Or will only /usr/local/etc/apache22/envvars.d/mysettings work at boot ?? Or will none of these work at boot ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: path for user www
--On Monday, June 15, 2009 07:16:51 -0500 Pieter Donche pieter.don...@ua.ac.be wrote: On Mon, 15 Jun 2009, Robert Huff wrote: Pieter Donche writes: How can one change the PATH for the user www ? to include e.g. /usr/local/bin In /etc/passwd the entry now is: www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin Start by reading the section 5 man page for passwd. Could you provide a little more detail about what's breaking and why you think this user's path is involved? Robert Huff Some users on my system run scripts in their webpages. If they specify commands (e.g.) 'python', it is not found, unless it is specified as '/usr/local/bin/python', since the Apache runs in an environment which has as PATH: (as can be seen from phpinfo() output) /sbin:/bin:/usr/sbin:/usr:bin only. How can one make the PATH that Apache httpd deamon will use be a different path? and where exaclty does it get /sbin:/bin:/usr/sbin:/usr:bin from in the first place? I could try specifying in /usr/local/sbin/apachectl 's Bourne shell script: PATH=/sbin:/bin:/usr/sbin:/usr:bin:/usr/local/sbin:/usr/local/bin export PATH but wouldn't this be set back to the original at an Apache update? root has a better path: PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin: /root/bin how could I have httpd have the same path? Why would you want to? You'd open yourself up to all sorts of potential compromise paths. There's a reason why root's path is different from normal users. Instead of doing that, consider creating jails. Or create a symlink to only those binaries that they need to run their scripts to a location that www already has in its path. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** Check the headers before clicking on Reply. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: path for user www
On Monday 15 June 2009 06:15:11 Pieter Donche wrote: Now I see from reading the apache start-up script /usr/local/sbin/apachectl that one can create a file with instructions to be executed at startup of Apache: any file in /usr/local/etc/apache22/envvars.d is sourced into the start up environment of apache. Nope, you didn't read it right. This directory was empty for the moment. So I could put in there a file, /usr/local/etc/apache22/envvars.d/mysettings PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin export PATH I don't see what rules of precedence acutally apply ... Anyone can explain me? And will SetEnv in /etc/httpd.conf also work at boot ??? Or will only /usr/local/etc/apache22/envvars.d/mysettings work at boot ?? It will never work: 1) Your file needs to end in .env. 2) graceful does not restart the root process and the environment is kept in the root httpd process, thus you need to restart apache. % alias aprestart aprestart='sudo /usr/local/etc/rc.d/apache22 restart' % cat /usr/local/etc/apache22/envvars.d/path.env #!/bin/sh export PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin % aprestart Performing sanity check on apache22 configuration: Syntax OK Stopping apache22. Waiting for PIDS: 85453. Performing sanity check on apache22 configuration: Syntax OK Starting apache22. % curl -s http://localhost/info.php |sed -ne '/PATH / s,[^]*,,gp' |head -1 PATH /sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: path for user www
On Monday 15 June 2009 06:29:13 Paul Schmehl wrote: Why would you want to? You'd open yourself up to all sorts of potential compromise paths. There's a reason why root's path is different from normal users. Without forcing a PATH for apache, you open yourself up to exactly the things you're warning for, when you restart apache in multi-user. When using sudo apache would actually have the PATH of your normal user. Also, PATH for root is _not_ noticably different from normal users in a vanilla install. Only the path during rc(8) stage is sanitized, which is why you see a different path after reboot. Ideally, the apache port would install a path.env.default in the envvars.d directory and mention it's usage in pkg-message. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org