Why is www's $PATH only /usr/bin:/bin?

Niklaas Baudet von Gersdorff stdin at niklaas.eu
Wed Apr 27 07:05:48 UTC 2016

Valeri Galtsev [2016-04-26 16:15 -0500] :

> You can have $cmd containing full absolute path to the command bewith
> leading slash, say:
> /usr/local/bin/yourcommand
> then it should work (unless daemon runs chrooted, then you need to
> have copied of all these in chrooted environment). Having daemons
> exposed to external world able access as minimum of things as
> necessary would be a good security practice.

I thought about that too. I am trying to run some webapp based on PHP
that uses shell_exec to figure out where to find the program in
question. I don't want to make changes upstream, so I thought about
making changes to FreeBSD itself. I had a look at /etc/login.conf and
started wondering why $PATH is not set properly.

Thanks for the security advice. I am quite concerned about that too. The
webserver is running in a jail, ingoing and outgoing network connection
limited. It's only for personal use so access rather restricted.

More information about the freebsd-questions mailing list