Red Hat Bugzilla – Bug 118198
unclean httpd environment with apachectl
Last modified: 2007-11-30 17:10:38 EST
Description of problem:
apachectl doesn't clean up environment before starting httpd. This
results in making all environment variables of calling user visible to
CGI scripts. I think that:
1. it is a potential security risk ; for example, all SSH forwarding
variables are visible (SSH_*)
2. it can also mess up some modules or libraries called from Apache or
CGI scripts, think for example to locales (LANG and LC_* variables) or
more specifically postgresql data formatting (PGDATASTYLE var...) in PHP.
BTW, /etc/init.d/httpd should *always* use apachectl to avoid
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Log in as root,
2. Do "apachectl stop" then "apachectl start"
3. Look at some CGI script that outputs environment like "printenv"
and compate with root's env...
*All* environment variables of the apachectl calling user (mainly
root) is made visible from CGI scripts, including sensible ones...
httpd should be start with a clean, controlled environment.
Easy to fix, I included the modified httpd-2.0.40-apctl.patch file.
Created attachment 98510 [details]
Modified apachectl.in patch
This patch defines a ENV variable looking like this:
ENV="/bin/env - PATH=/usr/bin:/bin:/usr/local/bin $HTTPD_ENV"
Which is then used to launch httpd:
$ENV $HTTPD <args...>
Thanks, yes, this happens if you start httpd from /etc/init.d/httpd
too; as covered in bug 97604, whereas if you use "service httpd start"
you get a clean environment. Your change looks good for FC2.
1) After reading bug 97604 descriptions, I shall add that $ENV
definition may be changed to :
ENV="/bin/env -i LANG=$LANG PATH=/usr/bin:/bin:/usr/local/bin $HTTPD_ENV"
(using "-i" instead of "-" and adding LANG)
Fedora Core 1 is maintained by the Fedora Legacy project for security updates
only. If this problem is a security issue, please reopen and reassign to the
Fedora Legacy product. If it is not a security issue and hasn't been resolved in
the current FC5 updates or in the FC6 test release, reopen and change the
version to match.
NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy
project. After Fedora Core 6 Test 2 is released (currently scheduled for July
26th), there will be no more security updates for FC1. Please use these next two
weeks to upgrade any remaining FC1 systems to a current release.
This seems to be fixed in FC6. (Well, it does pick up the entire PATH from
root, but it doesn't grab other variables.) I'm not sure when it was fixed, but
this bug was never closed.
Note that FC1 and FC2 are no longer
supported even by Fedora Legacy. If this still occurs on FC3 or FC4, please
assign to that version and Fedora Legacy. If it still occurs on FC5,
please reopen and assign to the correct version.