Bug 118198

Summary: unclean httpd environment with apachectl
Product: [Fedora] Fedora Reporter: Guillaume Perréal <perreal>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 1CC: mattdm
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low
Fixed In Version: fc6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-28 14:58:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Modified apachectl.in patch none

Description Guillaume Perréal 2004-03-13 10:18:08 UTC 
Description of problem:

apachectl doesn't clean up environment before starting httpd. This
results in making all environment variables of calling user visible to
CGI scripts. I think that:

1. it is a potential security risk ; for example, all SSH forwarding
variables are visible (SSH_*)

2. it can also mess up some modules or libraries called from Apache or
CGI scripts, think for example to locales (LANG and LC_* variables) or
more specifically postgresql data formatting (PGDATASTYLE var...) in PHP.

BTW, /etc/init.d/httpd should *always* use apachectl to avoid
duplicating changes.

Version-Release number of selected component (if applicable):

httpd-2.0.48-1.2

How reproducible:

Always.

Steps to Reproduce:
1. Log in as root,
2. Do "apachectl stop" then "apachectl start"
3. Look at some CGI script that outputs environment like "printenv"
and compate with root's env...
  
Actual results:

*All* environment variables of the apachectl calling user (mainly
root) is made visible from CGI scripts, including sensible ones...

Expected results:

httpd should be start with a clean, controlled environment.

Additional info:

Easy to fix, I included the modified httpd-2.0.40-apctl.patch file.
Comment 1 Guillaume Perréal 2004-03-13 10:23:08 UTC 
Created attachment 98510 [details]
Modified apachectl.in patch

This patch defines a ENV variable looking like this: 
ENV="/bin/env - PATH=/usr/bin:/bin:/usr/local/bin $HTTPD_ENV"
Which is then used to launch httpd:
$ENV $HTTPD <args...>
Comment 2 Joe Orton 2004-03-13 10:31:01 UTC 
Thanks, yes, this happens if you start httpd from /etc/init.d/httpd
too; as covered in bug 97604, whereas if you use "service httpd start"
you get a clean environment.  Your change looks good for FC2.
Comment 3 Guillaume Perréal 2004-03-14 13:02:43 UTC 
1) After reading bug 97604 descriptions, I shall add that $ENV
definition may be changed to :

ENV="/bin/env -i LANG=$LANG PATH=/usr/bin:/bin:/usr/local/bin $HTTPD_ENV"

(using "-i" instead of "-" and adding LANG)
Comment 4 Matthew Miller 2006-07-11 17:33:39 UTC 
Fedora Core 1 is maintained by the Fedora Legacy project for security updates
only. If this problem is a security issue, please reopen and reassign to the
Fedora Legacy product. If it is not a security issue and hasn't been resolved in
the current FC5 updates or in the FC6 test release, reopen and change the
version to match.

Thanks!

NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy
project. After Fedora Core 6 Test 2 is released (currently scheduled for July
26th), there will be no more security updates for FC1. Please use these next two
weeks to upgrade any remaining FC1 systems to a current release.
Comment 5 John Thacker 2006-10-28 14:58:59 UTC 
This seems to be fixed in FC6.  (Well, it does pick up the entire PATH from
root, but it doesn't grab other variables.)  I'm not sure when it was fixed, but
this bug was never closed.

Note that FC1 and FC2 are no longer
supported even by Fedora Legacy.  If this still occurs on FC3 or FC4, please
assign to that version and Fedora Legacy.  If it still occurs on FC5,
please reopen and assign to the correct version.

Closing bug.