43906 – SetEnv does not allow PATH override

Bug 43906 - SetEnv does not allow PATH override

Summary: SetEnv does not allow PATH override

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	Core (show other bugs)
Version:	2.2.4
Hardware:	All All

Importance:	P1 regression with 3 votes (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-11-19 09:52 UTC by Anton Lavrentiev
Modified:	2014-05-20 11:50 UTC (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Anton Lavrentiev 2007-11-19 09:52:16 UTC

SetEnv PATH "/usr/bin:/bin"
does not work (it's an undocumented exception among a few more) because of
special treatment in server/util_script.c::ap_add_common_vars(), which always
takes PATH as inherited from Apache startup environment.  The startup
environment can be rather "wide", and narrowing it down with an appropriate
SetEnv PATH (as shown) seems like a good security measure.  But to no avail
with current implementation.  Note that another commonly used environment,
closely related to PATH but only in terms of shared libraries rather than
commands, LD_LIBRARY_PATH *can* be overridden with SetEnv directive.

Comment 1 Alexandre Ferrieux 2009-10-07 06:34:41 UTC

Any news ? A workaround ? This bug makes the User directive really clumsy, since each and every cgi must set the PATH to reach other per-user executables.

Also notice that not documenting it is a nightmare, since the only googlable documentation relative to SetEnv and PATH is the Apache 1 one, which takes "SetEnv PATH" as an example ! Having a regression from 1 to 2 is one thing, hiding it is something else...

Comment 2 Nick Kew 2009-12-20 15:09:30 UTC

This is marked "regression".  What Apache version behaved differently?  A look at svn suggests this goes back a very long way.

It seems to me that changing this behaviour could open serious security issues in existing configurations.  What's needed is for the behaviour to be consistent and adequately documented.

I agree it's inconsistent for PATH and LD_LIBRARY_PATH to differ, and in AFAICS what you ask for seems reasonable.  I'll raise this on the dev list.

Comment 3 Nick Kew 2010-07-19 19:42:09 UTC

Fixed in r965679.

The thread on dev@ was brief and uncontroversial at http://marc.info/?l=apache-httpd-dev&m=126138054810936&w=2

Comment 4 Shreyas Kulkarni 2014-05-20 04:34:22 UTC

We are using apache 2.2.23, but still have this problem of apache not honoring SetEnv PATH. This stops us from using different PATHs for different virtual hosts, since the alternate option of setting the startup envs through envvars can't be set per virtual host. 

I can see this but is resolved fixed, but don't see any target milestone on this one. Which version was this fix released in? 

Thanks.

Comment 5 Jeff Trawick 2014-05-20 11:50:33 UTC

The change is not in the 2.2.x branch.  It is available in all 2.4.x releases.