Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 19 May 1999 03:23:15 +1000 (EST)
From:      Andy Farkas <andyf@speednet.com.au>
To:        freebsd-isp@FreeBSD.ORG
Subject:   suexec  [was: Re: Apache log files]
Message-ID:  <Pine.BSF.4.05.9905190253540.21545-100000@backup.zippynet.iol.net.au>
In-Reply-To: <Pine.BSF.4.05.9905180808050.90778-100000@heaven.gigo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Tue, 18 May 1999 jfesler@gigo.com wrote:

> > While we're on the subject of log files...
> > 

While we're on the subject of apache... :)

I would like to share my experience of allowing users to run cgi scripts
via the 'suexec' method supplied with apache (1.3.6).  This allows you to
have cgi scripts executed in the context of the userid, but it doesn't
implement 'login.conf' resource limits associated with a user 'class'.

I have patched suexec.c to do this - enjoy:


--- suexec.c	Sat Jan  2 06:05:35 1999
+++ /home/andyf/suexec.c	Fri Mar 12 12:11:09 1999
@@ -75,6 +75,8 @@
 #include <sys/param.h>
 #include <sys/stat.h>
 #include <sys/types.h>
+/* AAA: */
+#include <login_cap.h>
 
 #include <stdarg.h>
 
@@ -249,6 +251,9 @@
     char *cmd;			/* command to be executed    */
     char cwd[AP_MAXPATH];	/* current working directory */
     char dwd[AP_MAXPATH];	/* docroot working directory */
+/* AAA: */
+    login_cap_t *lc;
+
     struct passwd *pw;		/* password entry holder     */
     struct group *gr;		/* group entry holder        */
     struct stat dir_info;	/* directory info holder     */
@@ -374,6 +379,24 @@
 	log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
 	exit(108);
     }
+
+/* AAA: */
+	/* get user login class...
+	*/
+	if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
+		log_err("failed to login_getclassbyname()\n");
+		exit(109);
+	}
+
+	/* set resource limits ...
+	*/
+	if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
+		log_err("failed to setusercontext()\n");
+		exit(109);
+	}
+
+	login_close(lc);
+/* :AAA */
 
     /*
      * Change UID/GID here so that the following tests work over NFS.


--
 
 :{ andyf@speednet.com.au
  
        Andy Farkas
    System Administrator
   Speed Internet Services
 http://www.speednet.com.au/
  




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9905190253540.21545-100000>