https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235185
--- Comment #8 from Rodney W. Grimes <rgri...@freebsd.org> --- (In reply to vas from comment #6) I do not think "at present" that has any effect, as I can not find any place that service(8) actually does sanatize the environment, but I may of missed it in my 3 minute scan of that /bin/sh script. Either way, I do now fully support that the package specific rc.d/fcgiwrap script should do a env -i when it invokes this binary due to its potential for being a exfiltration point. Do note that the author of this program is aware of the fact that it can expose its environment and actually has an internal blacklist of env variables, so to me it appears as if the exporting is by design and intentional and the novice user running printenv in a cgi script started by this program has loaded the gun and pulled the trigger. (In reply to vas from comment #7) Realize that if you sanitize the environment in a generic way in the "foo" init system you remove the ability of the system admin to use the environment to effect anything that is started, and that would probably be a larger and painful problem to solve. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ freebsd-rc@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-rc To unsubscribe, send any mail to "freebsd-rc-unsubscr...@freebsd.org"
