From owner-freebsd-rc@freebsd.org Fri Jan 25 19:07:01 2019 Return-Path: Delivered-To: freebsd-rc@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 56B2F14BEDB1 for ; Fri, 25 Jan 2019 19:07:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id E3C0A6AFFF for ; Fri, 25 Jan 2019 19:07:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 9EB8714BEDB0; Fri, 25 Jan 2019 19:07:00 +0000 (UTC) Delivered-To: rc@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 624EC14BEDAF for ; Fri, 25 Jan 2019 19:07:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F42246AFF8 for ; Fri, 25 Jan 2019 19:06:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 3EB52363 for ; Fri, 25 Jan 2019 19:06:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x0PJ6xOw055561 for ; Fri, 25 Jan 2019 19:06:59 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x0PJ6xWw055560 for rc@FreeBSD.org; Fri, 25 Jan 2019 19:06:59 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: rc@FreeBSD.org Subject: [Bug 235185] www/fcgiwrap: environment should be cleaned in /usr/local/etc/rc.d/fcgiwrap Date: Fri, 25 Jan 2019 19:06:59 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dteske@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: rodrigo@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2019 19:07:01 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D235185 --- Comment #18 from Devin Teske --- (In reply to Rodney W. Grimes from comment #17) There exists a case where "sloppy" may not apply. Legacy jails may often have the following in login.conf: default:\ ...\ =20=20=20=20=20=20 :setenv=3DMAIL=3D/var/mail/$,BLOCKSIZE=3DK,FTP_PASSIVE_MODE=3DYES,PACKAGESI= TE=3Dftp\c//ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/= 9.2-RELEASE/packages/Latest/:\ ...\ Which naturally sets $PACKAGESITE in the environment for all users. In this case, you may want the environment variable set for all users that login, but you don't want it leaked to services for various reasons (in the OP's case, there may be nothing that can be done about enumerating the environment -- it may be a required setup -- but you don't want this variab= le to give away pertinent security-specific information that could facilitate hacking your machine by knowing which version of the OS is in-use). The default value for the proposed new knob would be NO. The knob would be opt-in only and on a per-service basis. It would act as value-add on top of existing features like above. As for your stated options (a, b, c list), I concur with that list. I would add that as long as the rc.d script uses the rc.subr routines for starting services according to rc.conf settings (descriptive of the fcgiwrap rc.d script), then the new knob would be applied regardless of whether you = use service or invoke the rc.d script manually. --=20 You are receiving this mail because: You are on the CC list for the bug.=