SetEnv PATH "/usr/bin:/bin" does not work (it's an undocumented exception among a few more) because of special treatment in server/util_script.c::ap_add_common_vars(), which always takes PATH as inherited from Apache startup environment. The startup environment can be rather "wide", and narrowing it down with an appropriate SetEnv PATH (as shown) seems like a good security measure. But to no avail with current implementation. Note that another commonly used environment, closely related to PATH but only in terms of shared libraries rather than commands, LD_LIBRARY_PATH *can* be overridden with SetEnv directive.
Any news ? A workaround ? This bug makes the User directive really clumsy, since each and every cgi must set the PATH to reach other per-user executables. Also notice that not documenting it is a nightmare, since the only googlable documentation relative to SetEnv and PATH is the Apache 1 one, which takes "SetEnv PATH" as an example ! Having a regression from 1 to 2 is one thing, hiding it is something else...
This is marked "regression". What Apache version behaved differently? A look at svn suggests this goes back a very long way. It seems to me that changing this behaviour could open serious security issues in existing configurations. What's needed is for the behaviour to be consistent and adequately documented. I agree it's inconsistent for PATH and LD_LIBRARY_PATH to differ, and in AFAICS what you ask for seems reasonable. I'll raise this on the dev list.
Fixed in r965679. The thread on dev@ was brief and uncontroversial at http://marc.info/?l=apache-httpd-dev&m=126138054810936&w=2
We are using apache 2.2.23, but still have this problem of apache not honoring SetEnv PATH. This stops us from using different PATHs for different virtual hosts, since the alternate option of setting the startup envs through envvars can't be set per virtual host. I can see this but is resolved fixed, but don't see any target milestone on this one. Which version was this fix released in? Thanks.
The change is not in the 2.2.x branch. It is available in all 2.4.x releases.