From owner-freebsd-ports-bugs@FreeBSD.ORG Sat Jun 27 14:40:02 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A533106566C for ; Sat, 27 Jun 2009 14:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DB8788FC0A for ; Sat, 27 Jun 2009 14:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n5REe1sR043282 for ; Sat, 27 Jun 2009 14:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n5REe1Dq043281; Sat, 27 Jun 2009 14:40:01 GMT (envelope-from gnats) Resent-Date: Sat, 27 Jun 2009 14:40:01 GMT Resent-Message-Id: <200906271440.n5REe1Dq043281@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Alexey V.Degtyarev" Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 39B4C106566C for ; Sat, 27 Jun 2009 14:34:23 +0000 (UTC) (envelope-from root@undeliverable.renatasystems.org) Received: from hs-9.renatasystems.org (hs-9.renatasystems.org [83.222.5.149]) by mx1.freebsd.org (Postfix) with SMTP id 81DBB8FC20 for ; Sat, 27 Jun 2009 14:34:22 +0000 (UTC) (envelope-from root@undeliverable.renatasystems.org) Received: (qmail 63501 invoked by uid 0); 27 Jun 2009 18:34:20 +0400 Message-Id: <20090627143420.63500.qmail@hs-9.renatasystems.org> Date: 27 Jun 2009 18:34:20 +0400 From: "Alexey V.Degtyarev" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/136091: [PATCH] www/apache22 - suexec resource limits patch X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Alexey V.Degtyarev" List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Jun 2009 14:40:02 -0000 >Number: 136091 >Category: ports >Synopsis: [PATCH] www/apache22 - suexec resource limits patch >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Jun 27 14:40:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Alexey V. Degtyarev >Release: FreeBSD 7.1-RELEASE amd64 >Organization: >Environment: System: FreeBSD renatasystems.org 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan 1 08:58:24 UTC 2009 root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: By default suexec doesn't enforces different resource limitations configured in login.conf(5). This is probably because resource limitations are handled differently on various different platforms. The attached patch modifies suexec behaviour to set resource limits for CGI's from /etc/login.conf before execing the customers CGI script. This functionality already been implemented in www/apache13 with patch-ak, patch-ba, and patch-bb. >How-To-Repeat: >Fix: --- apache22.patch begins here --- diff -u -Nr apache22.orig/Makefile apache22/Makefile --- apache22.orig/Makefile 2009-06-18 19:40:42.000000000 +0400 +++ apache22/Makefile 2009-06-27 17:19:08.000000000 +0400 @@ -9,7 +9,7 @@ PORTNAME= apache PORTVERSION= 2.2.11 -PORTREVISION?= 7 +PORTREVISION?= 8 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} DISTNAME= httpd-${PORTVERSION} diff -u -Nr apache22.orig/files/patch-suexec_rsrclimit apache22/files/patch-suexec_rsrclimit --- apache22.orig/files/patch-suexec_rsrclimit 1970-01-01 03:00:00.000000000 +0300 +++ apache22/files/patch-suexec_rsrclimit 2009-06-27 17:08:57.000000000 +0400 @@ -0,0 +1,49 @@ +# http://www.chrishardie.com/tech/apache/suexec_rsrclimit.html +--- support/suexec.c.orig Wed Jul 12 07:38:44 2006 ++++ support/suexec.c Wed Nov 15 23:58:04 2006 +@@ -37,6 +37,7 @@ + #include + #include + #include ++#include + #include + #include + #if APR_HAVE_UNISTD_H +@@ -259,6 +260,7 @@ + char *cmd; /* command to be executed */ + char cwd[AP_MAXPATH]; /* current working directory */ + char dwd[AP_MAXPATH]; /* docroot working directory */ ++ login_cap_t *lc; /* user resource limits */ + struct passwd *pw; /* password entry holder */ + struct group *gr; /* group entry holder */ + struct stat dir_info; /* directory info holder */ +@@ -463,6 +465,18 @@ + log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd); + exit(108); + } ++ ++ /* ++ * Apply user resource limits based on login class. ++ */ ++ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) { ++ log_err("failed to login_getclassbyname()\n"); ++ exit(109); ++ } ++ if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) { ++ log_err("failed to setusercontext()\n"); ++ exit(109); ++ } + + /* + * Change UID/GID here so that the following tests work over NFS. +--- support/Makefile.in.orig Thu Nov 16 02:20:47 2006 ++++ support/Makefile.in Thu Nov 16 02:11:29 2006 +@@ -65,7 +65,7 @@ + + suexec_OBJECTS = suexec.lo + suexec: $(suexec_OBJECTS) +- $(LINK) $(suexec_OBJECTS) ++ $(LINK) -lutil $(suexec_OBJECTS) + + htcacheclean_OBJECTS = htcacheclean.lo + htcacheclean: $(htcacheclean_OBJECTS) --- apache22.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: