Environment variables are not controlled by IPA's WSGI scripts and env come from systemd->apache is passed down as is.
Current env, I see is:
(Pdb) bt /usr/share/ipa/wsgi.py(28)<module>() -> application = create_application() > /usr/lib/python3.9/site-packages/ipaserver/wsgi.py(51)create_application() -> api.bootstrap(context="server", confdir=paths.ETC_IPA, log=None) (Pdb) pprint.pprint(dict(os.environ)) {'GSS_USE_PROXY': 'yes', 'HOME': '/', 'INVOCATION_ID': '4bad74d04bd9473ab29ea6cd092254ed', 'JOURNAL_STREAM': '8:2727973', 'KDCPROXY_CONFIG': '/etc/ipa/kdcproxy/kdcproxy.conf', 'KRB5CCNAME': '/tmp/krb5cc-httpd', 'LANG': 'C.UTF-8', 'LC_ALL': 'C.UTF-8', 'NOTIFY_SOCKET': '/run/systemd/notify', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'SYSTEMD_EXEC_PID': '50313'} (Pdb)
For example, KRB5CCNAME, which by the accident may be tried to used by IPA framework (this fails due to file permissions). It is safer to choose which env vars are allowed and which are not.
KRB5CCNAME
Metadata Update from @slev: - Issue assigned to slev
Metadata Update from @slev: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.