lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Christian Vogler wrote:
> Hi Björn,
> are you sure that this variable is not inherited from the Apache
> environment?  In many configurations Apache typically runs a process
> as root and drops the privileges once it accepts an HTTP connection.
> The right way to find out is to use geteuid().
> If the effective user id is indeed root, this would look like a
> gross oversight by the sourceforge admins. I think that rather
> unlikely.
> - Christian

Hmmm, you are probably right there, although the maintainer 
of WebLua will be able to tell us what's really going on. 
I should have realised the script was also running on 
Sourceforge. Probably, the script is not running as 
effective user root. 

Anyway, allowing getenv is probably not a good idea,
as it could be used to gather some information about the 
system. It's a "privacy" leak, if you will. So, either
setting up a phoney environment, or disabling getenv
is still. In fact, as I write this, getenv() has
already been disabled at the site.

"No one knows true heroes, for they speak not of their greatness." -- 
Daniel Remar.
Björn De Meyer