Where to Unset or change $_SERVER['LD_LIBRARY_PATH']?

Question

I have an Apache 2.4 proxying to PHP7.4.4 php-fpm and I am trying to hide or unset the $_SERVER['LD_LIBRARY_PATH'] variable.

How do I change or get rid of this variable $_SERVER['LD_LIBRARY_PATH'] in the PHP output?

Assume that apache2.4 is installed to /apache24.

==userX-fpm-pool.conf==
[userX]
user = userX
group = userX
listen = 127.0.0.1:9003
clear_env = yes
env['LD_LIBRARY_PATH'] = /fakepath

==php.ini==
variables_order = "GPCS"

==userX-vhost.conf==
<VirtualHost *:80>
    ServerName userX.xxxxxx.com

    ServerAdmin webmaster@localhost
    DocumentRoot /userX/home/www

    UnsetEnv LD_LIBRARY_PATH

    <Directory /userX/home/www>
            Options Indexes FollowSymLinks
            DirectoryIndex index.php index.html
            Require all granted
            AllowOverride All
    </Directory>

    ProxyPassMatch "^/(.*\.php(/.*)?)$" "fcgi://127.0.0.1:9003/"
</VirtualHost>

==index.php==
<?php
print_r($_ENV);
print_r($_SERVER);

The curl output:

curl -H "Host: userX.xxxxxx.com" http://127.0.0.1
Array
(
)
Array
(
    [LD_LIBRARY_PATH] => /apache24/lib --> How do I change or get rid of this variable?
    [USER] => userX
    [HOME] => /home
    [SCRIPT_NAME] => /index.php
    [REQUEST_URI] => /
    [QUERY_STRING] =>
    [REQUEST_METHOD] => GET
    [SERVER_PROTOCOL] => HTTP/1.1
    [GATEWAY_INTERFACE] => CGI/1.1
    [REMOTE_PORT] => 49248
    [SCRIPT_FILENAME] => //index.php
    [SERVER_ADMIN] => webmaster@localhost
    [CONTEXT_DOCUMENT_ROOT] => /userX/home/www
    [CONTEXT_PREFIX] =>
    [REQUEST_SCHEME] => http
    [DOCUMENT_ROOT] => /userX/home/www
    [REMOTE_ADDR] => 127.0.0.1
    [SERVER_PORT] => 80
    [SERVER_ADDR] => 127.0.0.1
    [SERVER_NAME] => userX.xxxxxx.com
    [SERVER_SOFTWARE] => Apache/2.4.43 (Unix) OpenSSL/1.1.1 PHP/7.4.4
    [SERVER_SIGNATURE] =>
    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
    [HTTP_ACCEPT] => */*
    [HTTP_USER_AGENT] => curl/7.58.0
    [HTTP_HOST] => userX.xxxxxx.com
    [FCGI_ROLE] => RESPONDER
    [PHP_SELF] => /index.php
    [REQUEST_TIME_FLOAT] => 1587830093.9565
    [REQUEST_TIME] => 1587830093
)

score 0 · Answer 1 · answered Apr 25 '20 at 22:00

0

Don't "print_r($_SERVER);", and it won't appear in your output. It's an environment variable set when Apache (= the server) was started. You can manipulate it in the Apache startup scripts, or the Apache configuration. If you get rid of it, don't be surprised if Apache doesn't start anymore.

answered Apr 25 '20 at 22:00

Gerard H. Pille

2,569
1
13
11

even if I don't print it, another user will. – user2176499 Apr 26 '20 at 01:24
Only if you give him access to your server, as in: you allow him to install a php script on your webserver. At that time, you will have bigger problems than a visible environment variable. – Gerard H. Pille Apr 26 '20 at 05:31
Yea, I have hardended php.ini and chroot jail users to their respective jailed directories. This is the last bit of info I need to hide. – user2176499 Apr 26 '20 at 05:42
Was it unsafe if they knew the contents of LD_LIBRARY_PATH? – Gerard H. Pille Apr 26 '20 at 07:23
Yes, LD_LIBRARY_PATH contains sensitive information. – user2176499 Apr 26 '20 at 07:25
Are you still using WP? I don't mean WordPerfect ;-) – Gerard H. Pille Apr 26 '20 at 07:54
WP as in Wordpress? – user2176499 Apr 26 '20 at 10:57
Indeed, since once upon a time you were busy with Woocommerce. – Gerard H. Pille Apr 26 '20 at 12:40
Well, yes, that was long time ago. I am still working on WP but more towards towards using WP as a backend service or a product module. How did you know that I was working on Woocommerce? – user2176499 Apr 27 '20 at 04:50
Your question about the duplicate orders. – Gerard H. Pille Apr 27 '20 at 05:13
Oh yea, that was a while back. – user2176499 Apr 27 '20 at 05:18
Any potential work or project that you might want me to look at? LOL – user2176499 Apr 27 '20 at 05:25
No, sorry, I've been out of business for quite a while now. But when I was, there were a couple of Wordpress installations. Every couple of weeks they got hacked. – Gerard H. Pille Apr 27 '20 at 08:44
Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/107289/discussion-between-user2176499-and-gerard-h-pille). – user2176499 Apr 28 '20 at 05:07

score 0 · Accepted Answer · answered Apr 26 '20 at 02:06

Solved it. The solution is to comment off the LD_LIBRARY_PATH setting and export lines in envvars file in the bin directory of httpd-2.4.3 and then changing the FPM pool config file to the desired env value. Since the lib/ directory is for external linkage and I don't need it, apachectl starts fine. The only caveat is that ./apachectl restart doesn't work, you have to manually do a ./apachectl stop and then ./apachectl start for the changes to take effect.

==envvars==
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
# envvars-std - default environment variables for apachectl
#
# This file is generated from envvars-std.in
#
#if test "x$LD_LIBRARY_PATH" != "x" ; then
#  LD_LIBRARY_PATH="/apache24/lib:$LD_LIBRARY_PATH"
#else
#  LD_LIBRARY_PATH="/apache24/lib"
#fi
#export LD_LIBRARY_PATH
#

==userX-fpm-pool.conf==
[userX]
user = userX
group = userX
listen = 127.0.0.1:9003
clear_env = yes
env['LD_LIBRARY_PATH'] = /fakepath


root@instance:/apache24/bin# ./apachectl stop && ./apachectl start

curl -H "Host: userX.xxxxxx.com" http://127.0.0.1
Array
(
)
Array
(
    [LD_LIBRARY_PATH] => /fakepath
    [USER] => userX
    [HOME] => /home
    [SCRIPT_NAME] => /index.php
    [REQUEST_URI] => /
    [QUERY_STRING] =>
    [REQUEST_METHOD] => GET
    [SERVER_PROTOCOL] => HTTP/1.1
    [GATEWAY_INTERFACE] => CGI/1.1
    [REMOTE_PORT] => 49348
    [SCRIPT_FILENAME] => //index.php
    [SERVER_ADMIN] => webmaster@localhost
    [CONTEXT_DOCUMENT_ROOT] => /userX/home/www
    [CONTEXT_PREFIX] =>
    [REQUEST_SCHEME] => http
    [DOCUMENT_ROOT] => /userX/home/www
    [REMOTE_ADDR] => 127.0.0.1
    [SERVER_PORT] => 80
    [SERVER_ADDR] => 127.0.0.1
    [SERVER_NAME] => userX.xxxxxx.com
    [SERVER_SOFTWARE] => Apache/2.4.43 (Unix) OpenSSL/1.1.1 PHP/7.4.4
    [SERVER_SIGNATURE] =>
    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
    [HTTP_ACCEPT] => */*
    [HTTP_USER_AGENT] => curl/7.58.0
    [HTTP_HOST] => userX.xxxxxx.com
    [FCGI_ROLE] => RESPONDER
    [PHP_SELF] => /index.php
    [REQUEST_TIME_FLOAT] => 1587866614.9455
    [REQUEST_TIME] => 1587866614
)

Where to Unset or change $_SERVER['LD_LIBRARY_PATH']?

2 Answers2