Bug#257645: Clean up environment before start?
Package: apache2-common
Version: 2.0.49-1
Severity: minor
Hello.
Recently I discovered that when cgi-scripts read out the environment
table, what they would see was root's environment set at the moment of
starting apache2. In my case, this contained my full name, my full email
address, IRC nick, IRC server etc, etc, because I one time copied the
.zshrc from my normal user to root's account.
I didn't really like this information leakage, especially since more and
more people start using my server to host websites on. But then again,
it was pretty much expectable behaviour that needs a fix. :)
My idea to solve this was to clean the environment before actually
starting the daemon. A trivial little diff is attached. I think it
would really be nice to put this in. There's really no need for
LS_COLORS, LESSOPEN, LESSCLOSE, or READNULLCMD environment variables
to Apache. ;)
With my regards,
Sander.
--
| For tech support dial exactly the value of 22 divided by 7.
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D
--- etc/init.d/apache2.orig 2004-07-04 23:50:21.000000000 +0200
+++ etc/init.d/apache2 2004-07-04 23:50:40.000000000 +0200
@@ -3,7 +3,15 @@
# apache2 This init.d script is used to start apache2.
# It basically just calls apache2ctl.
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
+for envkey in `env | cut -d'=' -f1`
+do
+ unset $envkey
+done
+
+export PATH=/sbin:/bin:/usr/sbin:/usr/bin
+export PWD=`pwd`
+export HOME='/tmp'
+export PS1='\u@\h:\w\$ '
#[ `ls -1 /etc/apache2/sites-enabled/ | wc -l | sed -e 's/ *//;'` -eq 0 ] && \
#echo "You haven't enabled any sites yet, so I'm not starting apache2." && \
Reply to: