Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 206046

Summary: baselayout should clean out environment for initscripts
Product: Gentoo Security Reporter: Thomas de Grivel <billitch>
Component: Default ConfigsAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Thomas de Grivel 2008-01-16 01:55:22 UTC 
The apache initscript from the ebuild does not reset environment before starting the server, which inherits the environment of the user launching it, root or sudoer.

This can easily be seen in a phpinfo page where the global variable _ENV[] lists all the inherited environment.


Reproducible: Always

Steps to Reproduce:
1. Install apache and php
2. Start apache manually with sudo
3. Create a phpinfo page containing a sole call to phpinfo();
4. Access this page
Actual Results:  
At the end, in the environment section, usual user environment variables like PATH, HOME and TERM appear in the global variable _ENV[]


Expected Results:  
User environment should be discarded by initscript by calling apachectl from /usr/bin/env -i apachectl ...
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2008-01-16 06:28:48 UTC 
This is a baselayout and not apache issue, plus it's already been fixed as much as possible in baselayout-2*.

Stuff in /lib/rc/conf.d/env_whitelist is required for properly working initscripts and *cannot* be cleaned out. So, TERM, PATH, HOME will stay there no matter whether you like it or not.


*** This bug has been marked as a duplicate of bug 199915 ***