Bug#426426: SetEnv PERL5LIB ... cleaned by suEXEC

To: 426426@bugs.debian.org
Subject: Bug#426426: SetEnv PERL5LIB ... cleaned by suEXEC
From: Anders Kaseorg <andersk@MIT.EDU>
Date: Wed, 19 Sep 2007 19:09:39 -0400
Message-id: <[🔎] 1190243379.7000.38.camel@balanced-tree.mit.edu>
Reply-to: Anders Kaseorg <andersk@MIT.EDU>, 426426@bugs.debian.org

I don't think PERL5LIB can be added to the suexec safe list.  The goal
of suexec is to protect users from a malicious/compromised httpd, but if
httpd can set PERL5LIB, it can run arbitrary code as the user.

I would like there to be a solution for this, but it needs to be handled
on the Perl side.

Reply to:

Prev by Date: Processed: tagging 443196, user debian-release@lists.debian.org, usertagging 443196, tagging 441845
Next by Date: Bug#443310: apache2: [error] (9)Bad file descriptor: apr_socket_accept: (client socket)
Previous by thread: Processed: tagging 443196, user debian-release@lists.debian.org, usertagging 443196, tagging 441845
Next by thread: Bug#443310: apache2: [error] (9)Bad file descriptor: apr_socket_accept: (client socket)
Index(es):
- Date
- Thread