Date: 27 Jun 2009 18:34:20 +0400 From: "Alexey V.Degtyarev" <alexey@renatasystems.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/136091: [PATCH] www/apache22 - suexec resource limits patch Message-ID: <20090627143420.63500.qmail@hs-9.renatasystems.org> Resent-Message-ID: <200906271440.n5REe1Dq043281@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 136091
>Category: ports
>Synopsis: [PATCH] www/apache22 - suexec resource limits patch
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sat Jun 27 14:40:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Alexey V. Degtyarev
>Release: FreeBSD 7.1-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD renatasystems.org 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan 1 08:58:24 UTC 2009 root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
By default suexec doesn't enforces different resource limitations configured in
login.conf(5). This is probably because resource limitations are handled
differently on various different platforms.
The attached patch modifies suexec behaviour to set resource limits for CGI's
from /etc/login.conf before execing the customers CGI script.
This functionality already been implemented in www/apache13 with patch-ak,
patch-ba, and patch-bb.
>How-To-Repeat:
>Fix:
--- apache22.patch begins here ---
diff -u -Nr apache22.orig/Makefile apache22/Makefile
--- apache22.orig/Makefile 2009-06-18 19:40:42.000000000 +0400
+++ apache22/Makefile 2009-06-27 17:19:08.000000000 +0400
@@ -9,7 +9,7 @@
PORTNAME= apache
PORTVERSION= 2.2.11
-PORTREVISION?= 7
+PORTREVISION?= 8
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD}
DISTNAME= httpd-${PORTVERSION}
diff -u -Nr apache22.orig/files/patch-suexec_rsrclimit apache22/files/patch-suexec_rsrclimit
--- apache22.orig/files/patch-suexec_rsrclimit 1970-01-01 03:00:00.000000000 +0300
+++ apache22/files/patch-suexec_rsrclimit 2009-06-27 17:08:57.000000000 +0400
@@ -0,0 +1,49 @@
+# http://www.chrishardie.com/tech/apache/suexec_rsrclimit.html
+--- support/suexec.c.orig Wed Jul 12 07:38:44 2006
++++ support/suexec.c Wed Nov 15 23:58:04 2006
+@@ -37,6 +37,7 @@
+ #include <sys/param.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
++#include <login_cap.h>
+ #include <string.h>
+ #include <time.h>
+ #if APR_HAVE_UNISTD_H
+@@ -259,6 +260,7 @@
+ char *cmd; /* command to be executed */
+ char cwd[AP_MAXPATH]; /* current working directory */
+ char dwd[AP_MAXPATH]; /* docroot working directory */
++ login_cap_t *lc; /* user resource limits */
+ struct passwd *pw; /* password entry holder */
+ struct group *gr; /* group entry holder */
+ struct stat dir_info; /* directory info holder */
+@@ -463,6 +465,18 @@
+ log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
+ exit(108);
+ }
++
++ /*
++ * Apply user resource limits based on login class.
++ */
++ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
++ log_err("failed to login_getclassbyname()\n");
++ exit(109);
++ }
++ if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
++ log_err("failed to setusercontext()\n");
++ exit(109);
++ }
+
+ /*
+ * Change UID/GID here so that the following tests work over NFS.
+--- support/Makefile.in.orig Thu Nov 16 02:20:47 2006
++++ support/Makefile.in Thu Nov 16 02:11:29 2006
+@@ -65,7 +65,7 @@
+
+ suexec_OBJECTS = suexec.lo
+ suexec: $(suexec_OBJECTS)
+- $(LINK) $(suexec_OBJECTS)
++ $(LINK) -lutil $(suexec_OBJECTS)
+
+ htcacheclean_OBJECTS = htcacheclean.lo
+ htcacheclean: $(htcacheclean_OBJECTS)
--- apache22.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090627143420.63500.qmail>