Bug 55607 - Re-set HOME environment variable to directory from pw
Summary: Re-set HOME environment variable to directory from pw
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_suexec (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement with 1 vote (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-28 15:22 UTC by Lukas S
Modified: 2013-09-28 15:22 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lukas S 2013-09-28 15:22:33 UTC
I think it is pretty inconvenient that one can't refer to the HOME environment variable in SuExec'd scripts.

SuExec already gets the target users pw information (and his home directory) while performing security checks. It would be reasonable, imho, to set the HOME env variable to this value.

I can not come up with any way how this could impact security, a script could do this lookup itself (although this is annoying, because most libraries rely on the HOME variable being set), so this would not expose any additional information.

I would suggest to add something like this (code not tested):

    /*
     * Add the Home-directory from pw to the environment
     */
    {
        char **ep;
        char homebuf[256];
        
        sprintf(homebuf, "HOME=%s", target_homedir);
        
        ep = environ;
        while (*ep != NULL) ++ep;
        *ep = strdup(homebuf);
        if (*ep == NULL) {
            log_err("failed to malloc memory for environment\n");
            exit(124);
        }
        *(ep + 1) = NULL;
    }

at line 472 in suexec.c

What do You think?