Hosting Provided By

Bug#426426: SetEnv PERL5LIB ... cleaned by suEXEC

From: Anders Kaseorg <andersk(at)MIT.EDU>
Date: Wed Sep 19 2007 - 19:09:39 EDT

I don't think PERL5LIB can be added to the suexec safe list. The goal of suexec is to protect users from a malicious/compromised httpd, but if httpd can set PERL5LIB, it can run arbitrary code as the user.

I would like there to be a solution for this, but it needs to be handled on the Perl side.

-- 
To UNSUBSCRIBE, email to debian-apache-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Wed Sep 19 19:25:11 2007

This message: [ Message body ]
Next message: Patrick Nijs: "Bug#443310: apache2: [error] (9)Bad file descriptor: apr_socket_accept: (client socket)"
Previous message: Debian Bug Tracking System: "Processed: tagging 443196, user debian-release@lists.debian.org, usertagging 443196, tagging 441845"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 07 2007 - 07:57:41 EDT