Bug 118198 - unclean httpd environment with apachectl
unclean httpd environment with apachectl
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
Depends On:
  Show dependency treegraph
Reported: 2004-03-13 05:18 EST by Guillaume Perréal
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: fc6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-10-28 10:58:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Modified apachectl.in patch (2.96 KB, patch)
2004-03-13 05:23 EST, Guillaume Perréal
no flags Details | Diff

  None (edit)
Description Guillaume Perréal 2004-03-13 05:18:08 EST
Description of problem:

apachectl doesn't clean up environment before starting httpd. This
results in making all environment variables of calling user visible to
CGI scripts. I think that:

1. it is a potential security risk ; for example, all SSH forwarding
variables are visible (SSH_*)

2. it can also mess up some modules or libraries called from Apache or
CGI scripts, think for example to locales (LANG and LC_* variables) or
more specifically postgresql data formatting (PGDATASTYLE var...) in PHP.

BTW, /etc/init.d/httpd should *always* use apachectl to avoid
duplicating changes.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Log in as root,
2. Do "apachectl stop" then "apachectl start"
3. Look at some CGI script that outputs environment like "printenv"
and compate with root's env...
Actual results:

*All* environment variables of the apachectl calling user (mainly
root) is made visible from CGI scripts, including sensible ones...

Expected results:

httpd should be start with a clean, controlled environment.

Additional info:

Easy to fix, I included the modified httpd-2.0.40-apctl.patch file.
Comment 1 Guillaume Perréal 2004-03-13 05:23:08 EST
Created attachment 98510 [details]
Modified apachectl.in patch

This patch defines a ENV variable looking like this: 
ENV="/bin/env - PATH=/usr/bin:/bin:/usr/local/bin $HTTPD_ENV"
Which is then used to launch httpd:
$ENV $HTTPD <args...>
Comment 2 Joe Orton 2004-03-13 05:31:01 EST
Thanks, yes, this happens if you start httpd from /etc/init.d/httpd
too; as covered in bug 97604, whereas if you use "service httpd start"
you get a clean environment.  Your change looks good for FC2.
Comment 3 Guillaume Perréal 2004-03-14 08:02:43 EST
1) After reading bug 97604 descriptions, I shall add that $ENV
definition may be changed to :

ENV="/bin/env -i LANG=$LANG PATH=/usr/bin:/bin:/usr/local/bin $HTTPD_ENV"

(using "-i" instead of "-" and adding LANG)
Comment 4 Matthew Miller 2006-07-11 13:33:39 EDT
Fedora Core 1 is maintained by the Fedora Legacy project for security updates
only. If this problem is a security issue, please reopen and reassign to the
Fedora Legacy product. If it is not a security issue and hasn't been resolved in
the current FC5 updates or in the FC6 test release, reopen and change the
version to match.


NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy
project. After Fedora Core 6 Test 2 is released (currently scheduled for July
26th), there will be no more security updates for FC1. Please use these next two
weeks to upgrade any remaining FC1 systems to a current release.

Comment 5 John Thacker 2006-10-28 10:58:59 EDT
This seems to be fixed in FC6.  (Well, it does pick up the entire PATH from
root, but it doesn't grab other variables.)  I'm not sure when it was fixed, but
this bug was never closed.

Note that FC1 and FC2 are no longer
supported even by Fedora Legacy.  If this still occurs on FC3 or FC4, please
assign to that version and Fedora Legacy.  If it still occurs on FC5,
please reopen and assign to the correct version.

Closing bug.

Note You need to log in before you can comment on or make changes to this bug.