Description of problem: apachectl doesn't clean up environment before starting httpd. This results in making all environment variables of calling user visible to CGI scripts. I think that: 1. it is a potential security risk ; for example, all SSH forwarding variables are visible (SSH_*) 2. it can also mess up some modules or libraries called from Apache or CGI scripts, think for example to locales (LANG and LC_* variables) or more specifically postgresql data formatting (PGDATASTYLE var...) in PHP. BTW, /etc/init.d/httpd should *always* use apachectl to avoid duplicating changes. Version-Release number of selected component (if applicable): httpd-2.0.48-1.2 How reproducible: Always. Steps to Reproduce: 1. Log in as root, 2. Do "apachectl stop" then "apachectl start" 3. Look at some CGI script that outputs environment like "printenv" and compate with root's env... Actual results: *All* environment variables of the apachectl calling user (mainly root) is made visible from CGI scripts, including sensible ones... Expected results: httpd should be start with a clean, controlled environment. Additional info: Easy to fix, I included the modified httpd-2.0.40-apctl.patch file.
Created attachment 98510 [details] Modified apachectl.in patch This patch defines a ENV variable looking like this: ENV="/bin/env - PATH=/usr/bin:/bin:/usr/local/bin $HTTPD_ENV" Which is then used to launch httpd: $ENV $HTTPD <args...>
Thanks, yes, this happens if you start httpd from /etc/init.d/httpd too; as covered in bug 97604, whereas if you use "service httpd start" you get a clean environment. Your change looks good for FC2.
1) After reading bug 97604 descriptions, I shall add that $ENV definition may be changed to : ENV="/bin/env -i LANG=$LANG PATH=/usr/bin:/bin:/usr/local/bin $HTTPD_ENV" (using "-i" instead of "-" and adding LANG)
Fedora Core 1 is maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thanks! NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy project. After Fedora Core 6 Test 2 is released (currently scheduled for July 26th), there will be no more security updates for FC1. Please use these next two weeks to upgrade any remaining FC1 systems to a current release.
This seems to be fixed in FC6. (Well, it does pick up the entire PATH from root, but it doesn't grab other variables.) I'm not sure when it was fixed, but this bug was never closed. Note that FC1 and FC2 are no longer supported even by Fedora Legacy. If this still occurs on FC3 or FC4, please assign to that version and Fedora Legacy. If it still occurs on FC5, please reopen and assign to the correct version. Closing bug.