Date: Fri, 1 Jul 2011 11:30:27 GMT From: Ildar Ibragimov <dar.quonb@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/158565: Add rlimits based on login class for mpm-itk Message-ID: <201107011130.p61BUR6I045753@red.freebsd.org> Resent-Message-ID: <201107011140.p61Be7K0080296@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 158565 >Category: ports >Synopsis: Add rlimits based on login class for mpm-itk >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Jul 01 11:40:07 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Ildar Ibragimov >Release: 8.2 amd64 >Organization: >Environment: >Description: By default before setuid() and setguid() calls Apache with mpm-itk do not apply login class restrictions. >How-To-Repeat: Install Apache 2.2 from www/apache22-itk-mpm >Fix: Apply patch. It adds an extra patch that is based on extra-patch-suexec_rsrclimit and a new option knob to switch behaviour for only for www/apache22-itk-mpm port. Patch attached with submission follows: diff -Nru apache22.orig/Makefile apache22/Makefile --- apache22.orig/Makefile 2011-07-01 11:00:46.000000000 +0000 +++ apache22/Makefile 2011-07-01 11:16:07.000000000 +0000 @@ -52,6 +52,8 @@ APACHEDIR= ${MASTERDIR} .endif +WITH_MPM?= prefork # or worker, event, itk + .if !defined(WITHOUT_APACHE_OPTIONS) OPTIONS= \ THREADS "Enable threads support in APR" Off \ @@ -61,6 +63,9 @@ IPV6 "Enable IPv6 support" On \ BDB "Enable BerkeleyDB dbm" Off .include "${APACHEDIR}/Makefile.options" +.if ${WITH_MPM:L} == "itk" +OPTIONS+=ITK_LIMITS "mpm-itk rlimits based on login class" Off +.endif .endif .if defined(WITH_SUEXEC_RSRCLIMIT) @@ -94,8 +99,6 @@ MAKE_ENV+= EXPR_COMPAT=yes \ INSTALL_MAN="${INSTALL_MAN}" -WITH_MPM?= prefork # or worker, event, itk - WITH_HTTP_PORT?= 80 .if defined(WITH_STATIC_SUPPORT) diff -Nru apache22.orig/Makefile.modules apache22/Makefile.modules --- apache22.orig/Makefile.modules 2011-07-01 11:00:46.000000000 +0000 +++ apache22/Makefile.modules 2011-07-01 11:01:44.000000000 +0000 @@ -65,6 +65,9 @@ . elif ${WITH_MPM:L} == "itk" PLIST_SUB+= PREFORK="@comment " WORKER="@comment " EVENT="@comment " EXTRA_PATCHES+= ${PATCHDIR}/mpm-itk-${MPM_ITK_VERSION} +. if defined (WITH_ITK_LIMITS) +EXTRA_PATCHES+= ${PATCHDIR}/mpm-itk-limits +. endif . if defined (WITH_ITK_PERDIR_REGEX) EXTRA_PATCHES+= ${PATCHDIR}/mpm-itk-perdir-regex . endif diff -Nru apache22.orig/files/mpm-itk-limits apache22/files/mpm-itk-limits --- apache22.orig/files/mpm-itk-limits 1970-01-01 00:00:00.000000000 +0000 +++ apache22/files/mpm-itk-limits 2011-07-01 10:34:36.000000000 +0000 @@ -0,0 +1,53 @@ +--- server/mpm/experimental/itk/Makefile.in.orig 2011-07-01 10:33:45.000000000 +0000 ++++ server/mpm/experimental/itk/Makefile.in 2011-07-01 10:33:57.000000000 +0000 +@@ -1,5 +1,6 @@ + + LTLIBRARY_NAME = libitk.la + LTLIBRARY_SOURCES = itk.c ++LTLIBRARY_LIBADD = -lutil + + include $(top_srcdir)/build/ltlib.mk +--- server/mpm/experimental/itk/itk.c.orig 2011-07-01 10:04:40.000000000 +0000 ++++ server/mpm/experimental/itk/itk.c 2011-07-01 10:17:19.000000000 +0000 +@@ -41,6 +41,8 @@ + #if APR_HAVE_SYS_TYPES_H + #include <sys/types.h> + #endif ++#include <pwd.h> ++#include <login_cap.h> + + #define CORE_PRIVATE + +@@ -1438,6 +1440,8 @@ + gid_t wanted_gid; + const char *wanted_username; + int err = 0; ++ struct passwd *pw; ++ login_cap_t *lc; + + itk_server_conf *sconf = + (itk_server_conf *) ap_get_module_config(r->server->module_config, &mpm_itk_module); +@@ -1481,6 +1485,23 @@ + wanted_username = unixd_config.user_name; + } + ++ if ((pw = getpwuid(wanted_uid)) == NULL) { ++ _DBG("crit: invalid uid: (%ld)", wanted_uid, strerror(errno)); ++ err = 1; ++ } ++ ++ /* ++ * Apply user resource limits based on login class. ++ */ ++ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) { ++ _DBG("failed to login_getclassbyname()", strerror(errno)); ++ err = 1; ++ } ++ if ((setusercontext(lc, pw, wanted_uid, LOGIN_SETRESOURCES)) != 0) { ++ _DBG("failed to setusercontext()", strerror(errno)); ++ err = 1; ++ } ++ + if (!err && wanted_uid != -1 && wanted_gid != -1 && (getuid() != wanted_uid || getgid() != wanted_gid)) { + if (setgid(wanted_gid)) { + _DBG("setgid(%d): %s", wanted_gid, strerror(errno)); >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201107011130.p61BUR6I045753>