[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: WebLua
- From: Björn De Meyer <bjorn.demeyer@...>
- Date: Mon, 15 Jul 2002 21:16:22 +0200
Christian Vogler wrote:
> Hi Björn,
> are you sure that this variable is not inherited from the Apache
> environment? In many configurations Apache typically runs a process
> as root and drops the privileges once it accepts an HTTP connection.
> The right way to find out is to use geteuid().
> If the effective user id is indeed root, this would look like a
> gross oversight by the sourceforge admins. I think that rather
> - Christian
Hmmm, you are probably right there, although the maintainer
of WebLua will be able to tell us what's really going on.
I should have realised the script was also running on
Sourceforge. Probably, the script is not running as
effective user root.
Anyway, allowing getenv is probably not a good idea,
as it could be used to gather some information about the
system. It's a "privacy" leak, if you will. So, either
setting up a phoney environment, or disabling getenv
is still. In fact, as I write this, getenv() has
already been disabled at the site.
"No one knows true heroes, for they speak not of their greatness." --
Björn De Meyer