Ce jour Sun, 04 Jul 2004, Sander Smeenk a dit: > Package: apache2-common > Version: 2.0.49-1 > Severity: minor > > Hello. > > Recently I discovered that when cgi-scripts read out the environment > table, what they would see was root's environment set at the moment of > starting apache2. In my case, this contained my full name, my full email > address, IRC nick, IRC server etc, etc, because I one time copied the > .zshrc from my normal user to root's account. > > I didn't really like this information leakage, especially since more and > more people start using my server to host websites on. But then again, > it was pretty much expectable behaviour that needs a fix. :) > > My idea to solve this was to clean the environment before actually > starting the daemon. A trivial little diff is attached. I think it > would really be nice to put this in. There's really no need for > LS_COLORS, LESSOPEN, LESSCLOSE, or READNULLCMD environment variables > to Apache. ;) > > With my regards, > Sander. > -- > | For tech support dial exactly the value of 22 divided by 7. > | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D > --- etc/init.d/apache2.orig 2004-07-04 23:50:21.000000000 +0200 > +++ etc/init.d/apache2 2004-07-04 23:50:40.000000000 +0200 > @@ -3,7 +3,15 @@ > # apache2 This init.d script is used to start apache2. > # It basically just calls apache2ctl. > > -PATH=/sbin:/bin:/usr/sbin:/usr/bin > +for envkey in `env | cut -d'=' -f1` > +do > + unset $envkey > +done > + > +export PATH=/sbin:/bin:/usr/sbin:/usr/bin > +export PWD=`pwd` > +export HOME='/tmp' > +export PS1='\u@\h:\w\$ ' hmm, shouldn't $HOME be set to what is in http.conf? like /etc/apache2 or whatever it is? s/ > #[ `ls -1 /etc/apache2/sites-enabled/ | wc -l | sed -e 's/ *//;'` -eq 0 ] && \ > #echo "You haven't enabled any sites yet, so I'm not starting apache2." && \ --
Attachment:
signature.asc
Description: Digital signature