Bug#257645: marked as done (Clean up environment before start?)

To: Thom May <thom@debian.org>
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Bug#257645: marked as done (Clean up environment before start?)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 08 Jul 2004 11:33:12 -0700
Message-id: <[🔎] handler.257645.D241579.108931078128297.ackdone@bugs.debian.org>
In-reply-to: <E1BidSD-0001YA-00@newraff.debian.org>
References: <E1BidSD-0001YA-00@newraff.debian.org> <[🔎] 20040704215309.GB15661@freshdot.net>
Your message dated Thu, 08 Jul 2004 14:17:05 -0400
with message-id <E1BidSD-0001YA-00@newraff.debian.org>
and subject line Bug#241579: fixed in apache2 2.0.50-3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Jul 2004 21:53:11 +0000
>From ssmeenk@freshdot.net Sun Jul 04 14:53:10 2004
Return-path: <ssmeenk@freshdot.net>
Received: from dot.freshdot.net [80.69.73.239] (661cfbf2cad91946389859281b07f2cf)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BhEv8-0008OJ-00; Sun, 04 Jul 2004 14:53:10 -0700
Received: from ssmeenk by dot.freshdot.net with local (Exim 4.34)
	id 1BhEv7-0007Iu-Ev
	for submit@bugs.debian.org; Sun, 04 Jul 2004 23:53:09 +0200
Date: Sun, 4 Jul 2004 23:53:09 +0200
From: Sander Smeenk <ssmeenk@freshdot.net>
To: submit@bugs.debian.org
Subject: Clean up environment before start?
Message-ID: <[🔎] 20040704215309.GB15661@freshdot.net>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="pf9I7BMVVzbSWLtt"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040523i
X-SA-Exim-Connect-IP: <locally generated>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.1 required=4.0 tests=BAYES_44,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Package: apache2-common
Version: 2.0.49-1
Severity: minor

Hello.

Recently I discovered that when cgi-scripts read out the environment
table, what they would see was root's environment set at the moment of
starting apache2. In my case, this contained my full name, my full email
address, IRC nick, IRC server etc, etc, because I one time copied the
.zshrc from my normal user to root's account. 

I didn't really like this information leakage, especially since more and
more people start using my server to host websites on. But then again,
it was pretty much expectable behaviour that needs a fix. :)

My idea to solve this was to clean the environment before actually
starting the daemon. A trivial little diff is attached. I think it
would really be nice to put this in. There's really no need for 
LS_COLORS, LESSOPEN, LESSCLOSE, or READNULLCMD environment variables
to Apache. ;)

With my regards,
Sander.
-- 
| For tech support dial exactly the value of 22 divided by 7.
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8  9BDB D463 7E41 08CE C94D

--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="apache2.diff"

--- etc/init.d/apache2.orig	2004-07-04 23:50:21.000000000 +0200
+++ etc/init.d/apache2	2004-07-04 23:50:40.000000000 +0200
@@ -3,7 +3,15 @@
 # apache2		This init.d script is used to start apache2.
 #			It basically just calls apache2ctl.
 
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
+for envkey in `env | cut -d'=' -f1`
+do
+  unset $envkey
+done
+
+export PATH=/sbin:/bin:/usr/sbin:/usr/bin
+export PWD=`pwd`
+export HOME='/tmp'
+export PS1='\u@\h:\w\$ '
 
 #[ `ls -1 /etc/apache2/sites-enabled/ | wc -l | sed -e 's/ *//;'` -eq 0 ] && \
 #echo "You haven't enabled any sites yet, so I'm not starting apache2." && \

--pf9I7BMVVzbSWLtt--

---------------------------------------
Received: (at 241579-close) by bugs.debian.org; 8 Jul 2004 18:19:41 +0000
>From katie@ftp-master.debian.org Thu Jul 08 11:19:41 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BidUj-0007ME-00; Thu, 08 Jul 2004 11:19:41 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1BidSD-0001YA-00; Thu, 08 Jul 2004 14:17:05 -0400
From: Thom May <thom@debian.org>
To: 241579-close@bugs.debian.org
X-Katie: $Revision: 1.51 $
Subject: Bug#241579: fixed in apache2 2.0.50-3
Message-Id: <E1BidSD-0001YA-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Thu, 08 Jul 2004 14:17:05 -0400
Delivered-To: 241579-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Source: apache2
Source-Version: 2.0.50-3

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-common_2.0.50-3_sparc.deb
  to pool/main/a/apache2/apache2-common_2.0.50-3_sparc.deb
apache2-doc_2.0.50-3_all.deb
  to pool/main/a/apache2/apache2-doc_2.0.50-3_all.deb
apache2-mpm-perchild_2.0.50-3_sparc.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.0.50-3_sparc.deb
apache2-mpm-prefork_2.0.50-3_sparc.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.0.50-3_sparc.deb
apache2-mpm-threadpool_2.0.50-3_sparc.deb
  to pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-3_sparc.deb
apache2-mpm-worker_2.0.50-3_sparc.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.0.50-3_sparc.deb
apache2-prefork-dev_2.0.50-3_all.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.0.50-3_all.deb
apache2-threaded-dev_2.0.50-3_all.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.0.50-3_all.deb
apache2_2.0.50-3.diff.gz
  to pool/main/a/apache2/apache2_2.0.50-3.diff.gz
apache2_2.0.50-3.dsc
  to pool/main/a/apache2/apache2_2.0.50-3.dsc
apache2_2.0.50-3_sparc.deb
  to pool/main/a/apache2/apache2_2.0.50-3_sparc.deb
libapr0-dev_2.0.50-3_sparc.deb
  to pool/main/a/apache2/libapr0-dev_2.0.50-3_sparc.deb
libapr0_2.0.50-3_sparc.deb
  to pool/main/a/apache2/libapr0_2.0.50-3_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 241579@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thom May <thom@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  8 Jul 2004 16:04:31 +0100
Source: apache2
Binary: apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-mpm-threadpool apache2-mpm-worker libapr0 apache2-threaded-dev apache2-common apache2-mpm-perchild
Architecture: source all sparc
Version: 2.0.50-3
Distribution: unstable
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Thom May <thom@debian.org>
Description: 
 apache2    - Next generation, scalable, extendable web server
 apache2-common - Next generation, scalable, extendable web server
 apache2-doc - Documentation for apache2
 apache2-mpm-perchild - Experimental High speed perchild threaded model for Apache2
 apache2-mpm-prefork - Traditional model for Apache2
 apache2-mpm-threadpool - Experimental High speed thread pool model for Apache2
 apache2-mpm-worker - High speed threaded model for Apache2
 apache2-prefork-dev - Development headers for apache2
 apache2-threaded-dev - Development headers for apache2
 libapr0    - The Apache Portable Runtime
 libapr0-dev - Development headers for libapr
Closes: 232956 241579 244847 252918 258202 258217
Changes: 
 apache2 (2.0.50-3) unstable; urgency=high
 .
   * Brown paper bag of epic proportion. Build all mpms with the proper
     collection of libraries. (Closes: #258217, #258202)
   * Clean up environment (Closes: #241579)
   * Clarify prefork description (Closes: #252918)
   * Make apache2-default/manual DTRT (Closes: #244847)
   * Note that we don't ship INSTALL or README.platforms (Closes: #232956)
Files: 
 6fffc8738e048594b8579f96804adb5c 1725 net optional apache2_2.0.50-3.dsc
 bad667c21b0969799337c33626df9a7f 96227 net optional apache2_2.0.50-3.diff.gz
 83cf0823aeb91309965a445418700e3d 3175582 doc optional apache2-doc_2.0.50-3_all.deb
 f79a360f2a0915da576d9f4343dd6972 160456 devel optional apache2-prefork-dev_2.0.50-3_all.deb
 f46b55f8cecee1bda9ca9d8d3f25db4f 161752 devel optional apache2-threaded-dev_2.0.50-3_all.deb
 2bf1b26cffc0faec969cbbf217872ad6 834038 net optional apache2-common_2.0.50-3_sparc.deb
 e54f5f15cdf7ccc31a23b2fe69b1754b 208948 net optional apache2-mpm-worker_2.0.50-3_sparc.deb
 c1a869daf5c2436bdab0d190e29cbf46 230318 net optional apache2-mpm-threadpool_2.0.50-3_sparc.deb
 28fec28c5b5b7290ea1dd848a7bb06e5 233272 net optional apache2-mpm-perchild_2.0.50-3_sparc.deb
 54ef27ffb4c613ca36b1868e2ad9dfe0 227812 net optional apache2-mpm-prefork_2.0.50-3_sparc.deb
 d0402b05cc39adee85d48647dc6f606f 117086 net optional libapr0_2.0.50-3_sparc.deb
 a395b547b608fb666995a0b0e86a0497 254814 libdevel optional libapr0-dev_2.0.50-3_sparc.deb
 438fb9ee6e3b62eea23580c26b7861c2 27258 web optional apache2_2.0.50-3_sparc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQIVAwUBQO2M4LVnlGdHP376AQKikg/9Eml1SC40Jp99A3rwbCT+WadK0i8lqzAw
piY2z82mRRN/rpjBut3thXsTqVIxyGKSVRXYM/Y21mhL+gTEQGhjmwAAW7rXFk4j
DC+bxp/v+jSsjxXdjm8wudgPdTNc/vl/n3jhUI3GXFaRkvW3GRolHwod4F6/thzn
wJ36w9XM3IzRMF/SGlCicQmOKGDCTvNu9Q4eaT0PLKIPTQA4dXVbCx0gzu2U3r4n
Da5MgaWw+ElkVfNpwOC/hV26U9MEAxINHNP2H+ZKBhTbS/3xCTuU06j935Z3cShQ
Qf21ISJ9JEhOjYhsR6SBj4xlju42AaaWwzRyg+JeeRl5hs6Buz51mGQSShX2cOy1
/mgK74WFw1HIyDJiJ6a9n8gpUli0sgUYY9kXvduxK7REgx7TuQJiN71DG5tCBIEc
pduiC7nRZD+Kj3XHjzXBknTMHqjQUa6Qs1MhlxRf280lZDyWAZ6fEqtgfl/ToCsm
c9opk1UGo6f+49icwHLKNwc9gkqSZBqp7GNo8aXCYz50Rlw3qrs2rYTClzjtfw+z
+lAjOD0XFncrXoO4byyKcXbmUU2rX7dBfLxN7Ay2FpVyJ0Yzi6Hbp5pK7GQNignl
yNDfGGfAMwsWY0fSWMjiyTbr6kTdmHzT40aZlFjTalH1iCyGnvyRHJpK+/MhTLC0
HmsnPZVKovg=
=DaI1
-----END PGP SIGNATURE-----
Reply to:
References:
- Bug#257645: Clean up environment before start?
  - From: Sander Smeenk <ssmeenk@freshdot.net>
Prev by Date: Bug#252918: marked as done (First line of description confusing)
Next by Date: Bug#232956: marked as done (apache2-common: missing installation files)
Previous by thread: Re: Bug#257645: Clean up environment before start?
Next by thread: Bug#257775: AddDefaultCharset default setting is misleading
Index(es):
- Date
- Thread