Date: Tue, 7 Sep 1999 07:13:11 +1000 (EST) From: Andy Farkas <andyf@speednet.com.au> To: FreeBSD-gnats-submit@freebsd.org Cc: ache@freebsd.org Subject: ports/13606: Apache's suEXEC wrapper doesn't enforce user limits Message-ID: <Pine.BSF.4.10.9909070704330.15777-100000@localhost>
next in thread | raw e-mail | index | archive | help
>Number: 13606
>Category: ports
>Synopsis: Apache's suEXEC wrapper doesn't enforce user limits
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Sep 6 14:20:00 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator: Andy Farkas
>Release: FreeBSD 3.2-STABLE i386
>Organization:
Speednet Communications Pty Ltd
>Environment:
Apache-1.3.9 on FreeBSD 3.2-STABLE
>Description:
Apache's suEXEC wrapper doesn't enforce user limits. Users may
exhaust various system resources, even though resource limits
have been properly set.
>How-To-Repeat:
Enable the suEXEC wrapper for user CGI scripts and expect the
system to be 'more stable'. Weep as the system grounds to a
halt when user 'bob' uploads his "for(;;)" code and tells his
mates to "click here as many times as you can!".
Note that user bob has maxproc set to 2 and cputime to 60 secs.
>Fix:
This patch is for Apache-1.3.9:
--- suexec.c.orig Tue Jun 22 10:51:41 1999
+++ suexec.c Mon Sep 6 21:47:33 1999
@@ -75,6 +75,7 @@
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/types.h>
+#include <login_cap.h>
#include <stdarg.h>
@@ -250,6 +251,7 @@
char *cmd; /* command to be executed */
char cwd[AP_MAXPATH]; /* current working directory */
char dwd[AP_MAXPATH]; /* docroot working directory */
+ login_cap_t *lc; /* user resource limits */
struct passwd *pw; /* password entry holder */
struct group *gr; /* group entry holder */
struct stat dir_info; /* directory info holder */
@@ -401,6 +403,19 @@
if ((gid == 0) || (gid < GID_MIN)) {
log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
exit(108);
+ }
+
+ /*
+ * Apply user resource limits based on login class.
+ */
+ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
+ log_err("failed to login_getclassbyname()\n");
+ exit(109);
+ }
+
+ if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
+ log_err("failed to setusercontext()\n");
+ exit(109);
}
/*
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9909070704330.15777-100000>