[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: WebLua
- From: Björn De Meyer <bjorn.demeyer@...>
- Date: Mon, 15 Jul 2002 21:16:22 +0200
Christian Vogler wrote:
>
> Hi Björn,
> are you sure that this variable is not inherited from the Apache
> environment? In many configurations Apache typically runs a process
> as root and drops the privileges once it accepts an HTTP connection.
>
> The right way to find out is to use geteuid().
>
> If the effective user id is indeed root, this would look like a
> gross oversight by the sourceforge admins. I think that rather
> unlikely.
>
> - Christian
Hmmm, you are probably right there, although the maintainer
of WebLua will be able to tell us what's really going on.
I should have realised the script was also running on
Sourceforge. Probably, the script is not running as
effective user root.
Anyway, allowing getenv is probably not a good idea,
as it could be used to gather some information about the
system. It's a "privacy" leak, if you will. So, either
setting up a phoney environment, or disabling getenv
is still. In fact, as I write this, getenv() has
already been disabled at the site.
--
"No one knows true heroes, for they speak not of their greatness." --
Daniel Remar.
Björn De Meyer
bjorn.demeyer@pandora.be
