Date: Mon, 15 Jun 2009 14:29:13 +0000 From: Paul Schmehl <pschmehl_lists@tx.rr.com> To: Pieter Donche <Pieter.Donche@ua.ac.be>, Robert Huff <roberthuff@rcn.com> Cc: "mail.list freebsd-questions" <freebsd-questions@freebsd.org> Subject: Re: path for user www Message-ID: <2A832F905771652089DDC019@utd65257.utdallas.edu> In-Reply-To: <alpine.BSF.2.00.0906151404040.38025@macos.cmi.ua.ac.be> References: <alpine.BSF.2.00.0906151131390.34405@macos.cmi.ua.ac.be> <18998.13606.129658.46433@jerusalem.litteratus.org> <alpine.BSF.2.00.0906151404040.38025@macos.cmi.ua.ac.be>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Monday, June 15, 2009 07:16:51 -0500 Pieter Donche <Pieter.Donche@ua.ac.be> wrote: > > On Mon, 15 Jun 2009, Robert Huff wrote: > >> >> Pieter Donche writes: >>> How can one change the PATH for the user www ? >>> to include e.g. /usr/local/bin >>> >>> In /etc/passwd the entry now is: >>> www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin >> >> Start by reading the section 5 man page for "passwd". >> Could you provide a little more detail about what's breaking >> and why you think this user's path is involved? >> Robert Huff > > Some users on my system run scripts in their webpages. If they specify > commands (e.g.) 'python', it is not found, unless it is specified as > '/usr/local/bin/python', since the Apache runs in an environment which > has as PATH: (as can be seen from phpinfo() output) > /sbin:/bin:/usr/sbin:/usr:bin > only. > > How can one make the PATH that Apache httpd deamon will use > be a different path? > and where exaclty does it get /sbin:/bin:/usr/sbin:/usr:bin from > in the first place? > > I could try specifying in /usr/local/sbin/apachectl 's Bourne shell script: > PATH=/sbin:/bin:/usr/sbin:/usr:bin:/usr/local/sbin:/usr/local/bin > export PATH > > but wouldn't this be set back to the original at an Apache update? > > root has a better path: > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin: > /root/bin > > how could I have httpd have the same path? Why would you want to? You'd open yourself up to all sorts of potential compromise paths. There's a reason why root's path is different from normal users. Instead of doing that, consider creating jails. Or create a symlink to only those binaries that they need to run their scripts to a location that www already has in its path. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* Check the headers before clicking on Reply.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2A832F905771652089DDC019>