Hrm.. You seem to have worked out your issue yourself. Yes, Apache by default inherits the environment it is started from. Sometimes this is quite useful as some things need to be configured via environment variables. ie. Oracle. If you don't want any of your environment exposed, it is easy to start Apache with a clean one as you discovered.
-Rasmus On Thu, 6 Dec 2001, Gerard Onorato wrote: > I have a question about PHP under apache. > I was playing with some PHP4.0.6 apps running under apache 1.3.20 on a > vanilla > RedHat 7.1 box. I was logged in as 'xyz' on the box via SSH. > I 'su'd to root to restart apache (/etc/init.d/httpd restart) a few times > during testing. > > In one of my tests I exploited an exec function that sent unchecked input to > shell. The input I gave was "...some expected input; echo TEST|mail > myuserID" > and I ended up getting the email but (the part that concerns me even more > than > the "hole") is that the email came from the 'xyz' userID! > > A peek at 'ps' shows httpd -is- running as 'apache' (as expected) > but...after quite a lengthy investigation, phpinfo(), e.g. > <? > // phpinfo.php > phpinfo(); > ?> > shows, in the "Environment" section of the output, the environment VARS > (PATH, > MANPATH, USER, SSH session, etc... ) of the -xyz- user that restarted httpd! > > I rebooted and let httpd come up "normally" and the same exploit sends mail > as > 'anonymous'. But after 'xyz' login, su and restart...email is sent > as -xyz-?!? > > After more investigation, I see this has been discussed before: > > Some defensiveness from apache developers: > http://www.geocrawler.com/mail/thread.php3?subject=general%2F6600%3A+phpinfo > %28%29+returns+a+user+environment&list=192 > > workaround offered at: > http://www.phpbuilder.com/mail/php-developer-list/2001042/0459.php > > So... I added "env -i" to the /etc/init.d/httpd script > e.g. daemon env -i $httpd ...... > > 'xyz' login, su and restart (with 'env -i') and now the phpinfo() output has > -nothing- listed in the Environment section. I guess that's to be expected > but > I'm still left scratching my head as to why the 'env -i' is not used > -by default- in the RedHat (or other) httpd rc script for apache and what > else > might be impacted by doing so. > > Is this just a PHP-under-apache issue? > Insight anyone? > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
