From: [email protected]

This is a multi-part message in MIME format.
Hi there,

About #252627, I perfectly understand the problem leaking env represents.

However, it is sometimes necessary to pass environment variables to apache.

The common case is the use of php+oci8 binding : you have to pass
ORACLE_HOME to apache if you want to run php as a module (using SetEnv
is only possible if php runs as cgi)

The solution I use is the small attached patch to /etc/init.d/apache.

It provides a way to pass environment variables via /etc/default/apache,
if it exists.

A real world example is attached as well

This way, the administrator is responsible and has full control over
apache environment if he needs to, which I think is an important thing (administrators should be able to choose what information they want/have
to leak).

Of course, this file would'nt pass anything by default and contain a
clear warning as comment.

Please, consider this compromise.

Best regards,

--
Cl�ment 'nodens' Hermann <[email protected]>
- L'air pur ? c'est pas en RL, �a ? c'est pas hors charte ?
-- Jean in "l'Histoire des Pingouins" - http://tnemeth.free.fr/fmbl/linuxsf

--- /etc/init.d/apache.orig Fri Aug 13 10:56:19 2004
+++ /etc/init.d/apache Fri Aug 13 10:55:12 2004
@@ -21,6 +21,9 @@
# ensure we don't leak environment vars into apachectl
APACHECTL="env -i LANG=${LANG} PATH=${PATH} $APACHECTL"

+# custom environment is in /etc/default/apache
+[ -f /etc/default/apache ] && . /etc/default/apache
+
if egrep -q -i "^[[:space:]]*ServerType[[:space:]]+inet" $CONF
then
exit 0

# /etc/default/apache
# This file is intended as a way to pass environment variables
# to apache.
# WARNING : you should be *very* cautious when adding
# new environment variable. This could lead to an
# important information leak.

# Passing ORACLE_HOME to apache is required to
# use php-oci8 bindings with php as an apache module
export ORACLE_HOME=/home/oracle/OraHome1

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

On Fri, Aug 13, 2004 at 11:11:56AM +0200, Clement 'nodens' Hermann wrote:

The solution I use is the small attached patch to /etc/init.d/apache.

It provides a way to pass environment variables via /etc/default/apache,
if it exists.

A real world example is attached as well

Erm, does it actually work? I don't see why it should. I would have
thought you'd have to add stuff to the env line.

Look:

$ cat test.sh
echo $ORACLE_HOME
$ export ORACLE_HOME=/home/oracle/OraHome1
$ ./test.sh
/home/oracle/OraHome1
$ env -i ./test.sh

$ env -i ORACLE_HOME=$ORACLE_HOME ./test.sh
/home/oracle/OraHome1

--
"Next the statesmen will invent cheap lies, putting the blame upon
the nation that is attacked, and every man will be glad of those conscience-soothing falsities, and will diligently study them, and refuse
to examine any refutations of them; and thus he will by and by convince
himself that the war is just, and will thank God for the better sleep
he enjoys after this process of grotesque self-deception." -- Mark Twain


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

This is a multi-part message in MIME format.
Matthew Wilcox wrote:

Erm, does it actually work? I don't see why it should. I would have
thought you'd have to add stuff to the env line.

I thought so as well. But the script does not use $APACHECTL but $DAEMON
(it's on a woody). Look :

(http://192.168.0.75/info.php is a simple phpinfo() )

wanadoo-abv:/# mv /etc/default/apache /etc/default/apache.bak
wanadoo-abv:/# /etc/init.d/apache restart
Reloading apache modules.
wanadoo-abv:/# lynx -dump http://192.168.0.75/info.php | grep ORACLE
Compile-time ORACLE_HOME /home/oracle/OraHome1
wanadoo-abv:/#

(no ORACLE_HOME in apache env)

wanadoo-abv:/# mv /etc/default/apache.bak /etc/default/apache
wanadoo-abv:/# /etc/init.d/apache restart
Reloading apache modules.
wanadoo-abv:/# lynx -dump http://192.168.0.75/info.php | grep ORACLE
Compile-time ORACLE_HOME /home/oracle/OraHome1
ORACLE_HOME /home/oracle/OraHome1
_ENV["ORACLE_HOME"] /home/oracle/OraHome1
wanadoo-abv:/#

(well... it IS there, isn't it ?)

On sid (and probably sarge), you would use the attached patch and exemple.

This is intended as a "clean" way, to prevent users from removing the "ENV" variable from init script just to make php-oci8 or anything with similar
needs working, and loosing the "env -i" protection.

Best regards,

--
Cl�ment 'nodens' Hermann <[email protected]>
- L'air pur ? c'est pas en RL, �a ? c'est pas hors charte ?
-- Jean in "l'Histoire des Pingouins" - http://tnemeth.free.fr/fmbl/linuxsf

--- /etc/init.d/apache.orig 2004-08-13 16:50:35.000000000 +0200
+++ /etc/init.d/apache 2004-08-13 16:51:26.000000000 +0200
@@ -12,7 +12,10 @@
APACHECTL=/usr/sbin/${NAME}ctl
# note: SSD is required only at startup of the daemon.
SSD=`which start-stop-daemon`
-ENV="env -i LANG=C PATH=/bin:/usr/bin:/usr/local/bin"
+
+# import the wanted environment variable (and only these)
+[ -f /etc/default/apache ] && . /etc/default/apache
+ENV="env -i LANG=C PATH=/bin:/usr/bin:/sbin:/usr/sbin $EXTRAENV"

trap "" 1


# /etc/default/apache
# This file is intended as a way to pass environment variables
# to apache. Use the EXTRAENV variable below.

# WARNING : you should be *very* cautious when adding
# new environment variable. This could lead to an
# important information leak.

# Passing ORACLE_HOME to apache is required to
# use php-oci8 bindings with php as an apache module.
# We also need FOO for a internal php admin script. EXTRAENV="ORACLE_HOME=/home/oracle/OraHome1 FOO=BAR"

--- SoupGate