From owner-freebsd-questions@FreeBSD.ORG Mon Jun 15 14:58:06 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B4251065670 for ; Mon, 15 Jun 2009 14:58:06 +0000 (UTC) (envelope-from prvs=4100df0ae=pschmehl_lists@tx.rr.com) Received: from ip-relay-002.utdallas.edu (ip-relay-002.utdallas.edu [129.110.20.112]) by mx1.freebsd.org (Postfix) with ESMTP id 578988FC08 for ; Mon, 15 Jun 2009 14:58:06 +0000 (UTC) (envelope-from prvs=4100df0ae=pschmehl_lists@tx.rr.com) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.42,222,1243832400"; d="scan'208";a="12536278" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-002.utdallas.edu with ESMTP; 15 Jun 2009 09:29:13 -0500 Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id 668454EF49; Mon, 15 Jun 2009 09:29:13 -0500 (CDT) Date: Mon, 15 Jun 2009 14:29:13 +0000 From: Paul Schmehl To: Pieter Donche , Robert Huff Message-ID: <2A832F905771652089DDC019@utd65257.utdallas.edu> In-Reply-To: References: <18998.13606.129658.46433@jerusalem.litteratus.org> X-Mailer: Mulberry/4.0.6 (Linux/x86) X-Munged-Reply-To: Figure it out MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: "mail.list freebsd-questions" Subject: Re: path for user www X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jun 2009 14:58:06 -0000 --On Monday, June 15, 2009 07:16:51 -0500 Pieter Donche wrote: > > On Mon, 15 Jun 2009, Robert Huff wrote: > >> >> Pieter Donche writes: >>> How can one change the PATH for the user www ? >>> to include e.g. /usr/local/bin >>> >>> In /etc/passwd the entry now is: >>> www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin >> >> Start by reading the section 5 man page for "passwd". >> Could you provide a little more detail about what's breaking >> and why you think this user's path is involved? >> Robert Huff > > Some users on my system run scripts in their webpages. If they specify > commands (e.g.) 'python', it is not found, unless it is specified as > '/usr/local/bin/python', since the Apache runs in an environment which > has as PATH: (as can be seen from phpinfo() output) > /sbin:/bin:/usr/sbin:/usr:bin > only. > > How can one make the PATH that Apache httpd deamon will use > be a different path? > and where exaclty does it get /sbin:/bin:/usr/sbin:/usr:bin from > in the first place? > > I could try specifying in /usr/local/sbin/apachectl 's Bourne shell script: > PATH=/sbin:/bin:/usr/sbin:/usr:bin:/usr/local/sbin:/usr/local/bin > export PATH > > but wouldn't this be set back to the original at an Apache update? > > root has a better path: > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin: > /root/bin > > how could I have httpd have the same path? Why would you want to? You'd open yourself up to all sorts of potential compromise paths. There's a reason why root's path is different from normal users. Instead of doing that, consider creating jails. Or create a symlink to only those binaries that they need to run their scripts to a location that www already has in its path. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* Check the headers before clicking on Reply.