Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 28 Jan 2019 02:07:32 +0000
From:      bugzilla-noreply@freebsd.org
To:        rc@FreeBSD.org
Subject:   [Bug 235185] www/fcgiwrap: environment should be cleaned in /usr/local/etc/rc.d/fcgiwrap
Message-ID:  <bug-235185-20181-niIYZ7B0kd@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-235185-20181@https.bugs.freebsd.org/bugzilla/>
References:  <bug-235185-20181@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235185

--- Comment #34 from Rodney W. Grimes <rgrimes@FreeBSD.org> ---
<Rant Warning ON>
First off someone teach bugzilla that top posting this input box is just a
royal pain in the ass when your trying to reply to earlier posts, this whole
input box belongs at the BOTTOM of the page.
</Rant>

(In reply to Jilles Tjoelker from comment #31)
I support the idea that we may not want to take this to the extreme of a
sanatizer, how ever, I can not say that directly invoking /path/rc.d/foo is an
incorrect operation as that existed far longer than services(8).

(In reply to Devin Teske from comment #32)
Having services(8) be different than directly invoked scripts can be considered
a) a feature (It allows me to force feed ENV stuff) b) a bug cause it can cause
evil leaks or c) a POLA violation cause why should they be different.

Presently I believe we are in the a) state of affairs, and without additional
input we may wish to stay that way as changing it may cause a POLA issue.

(In reply to vas from comment #33)
I agree with you on the point that invoking rc.d scripts directly is NOT
incorrect procedure, see above at reply to #31

In summary my current position:
I am actually starting to come to the opinion that possibly the only action
that we should take AT THIS TIME is to place an env -i in the rc/fcigwrap
script to revoke its bad programming style of environment exposure to a cgi. 
And to take
this idea of a general sanatizer to the next level == arch@freebsd.org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-235185-20181-niIYZ7B0kd>