From owner-freebsd-apache@FreeBSD.ORG Tue Jul 7 18:40:05 2009 Return-Path: Delivered-To: apache@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3272910656B4 for ; Tue, 7 Jul 2009 18:40:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 183B18FC17 for ; Tue, 7 Jul 2009 18:40:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n67Ie4n2056337 for ; Tue, 7 Jul 2009 18:40:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n67Ie4JR056336; Tue, 7 Jul 2009 18:40:04 GMT (envelope-from gnats) Date: Tue, 7 Jul 2009 18:40:04 GMT Message-Id: <200907071840.n67Ie4JR056336@freefall.freebsd.org> To: apache@FreeBSD.org From: "Alexey V. Degtyarev" Cc: Subject: Re: ports/136091: [PATCH] www/apache22 - suexec resource limits patch X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Alexey V. Degtyarev" List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2009 18:40:05 -0000 The following reply was made to PR ports/136091; it has been noted by GNATS. From: "Alexey V. Degtyarev" To: S?bastien Santoro Cc: bug-followup@FreeBSD.org Subject: Re: ports/136091: [PATCH] www/apache22 - suexec resource limits patch Date: Tue, 7 Jul 2009 22:03:36 +0400 --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > Should be an optional patch, please consider adding a make config option. Ok, I have attached diff with this patch enabled via config option (default is off). + minor code cleanup for Makefile: [129]: whitespace before end of line. -- Alexey V. Degtyarev --EeQfGwPcQSOJBaQU Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="apache22.patch" diff -u -N -r apache22.orig/Makefile apache22/Makefile --- apache22.orig/Makefile 2009-06-18 19:40:42.000000000 +0400 +++ apache22/Makefile 2009-07-07 21:24:54.000000000 +0400 @@ -126,7 +126,7 @@ .if defined(WITH_APR_FROM_PORTS) PLIST_SUB+= APR_PORTS="@comment " -APR_PORT?= devel/apr +APR_PORT?= devel/apr LIB_DEPENDS+= apr-1:${PORTSDIR}/${APR_PORT} CONFIGURE_ARGS+= --with-apr=${LOCALBASE}/bin/apr-1-config \ --with-apr-util=${LOCALBASE}/bin/apu-1-config @@ -169,6 +169,14 @@ . endif .endif +.if defined(WITH_SUEXEC_RSRCLIMIT) +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-suexec_rsrclimit +.if !defined(WITH_SUEXEC) +IGNORE= suEXEC resource limit patch requires mod_suexec.\ + Please (re)run 'make config' and choose SUEXEC option also +.endif +.endif + CONFIGURE_ARGS+= --with-mpm=${WITH_MPM:L} pre-everything:: diff -u -N -r apache22.orig/Makefile.options apache22/Makefile.options --- apache22.orig/Makefile.options 2009-06-12 16:35:33.000000000 +0400 +++ apache22/Makefile.options 2009-07-07 21:22:40.000000000 +0400 @@ -71,5 +71,6 @@ PROXY_BALANCER "Enable mod_proxy_balancer" OFF \ SSL "Enable mod_ssl" ON \ SUEXEC "Enable mod_suexec" OFF \ + SUEXEC_RSRCLIMIT "SuEXEC rlimits based on login class" OFF \ CGID "Enable mod_cgid" OFF \ diff -u -N -r apache22.orig/files/extra-patch-suexec_rsrclimit apache22/files/extra-patch-suexec_rsrclimit --- apache22.orig/files/extra-patch-suexec_rsrclimit 1970-01-01 03:00:00.000000000 +0300 +++ apache22/files/extra-patch-suexec_rsrclimit 2009-06-27 17:08:57.000000000 +0400 @@ -0,0 +1,49 @@ +# http://www.chrishardie.com/tech/apache/suexec_rsrclimit.html +--- support/suexec.c.orig Wed Jul 12 07:38:44 2006 ++++ support/suexec.c Wed Nov 15 23:58:04 2006 +@@ -37,6 +37,7 @@ + #include + #include + #include ++#include + #include + #include + #if APR_HAVE_UNISTD_H +@@ -259,6 +260,7 @@ + char *cmd; /* command to be executed */ + char cwd[AP_MAXPATH]; /* current working directory */ + char dwd[AP_MAXPATH]; /* docroot working directory */ ++ login_cap_t *lc; /* user resource limits */ + struct passwd *pw; /* password entry holder */ + struct group *gr; /* group entry holder */ + struct stat dir_info; /* directory info holder */ +@@ -463,6 +465,18 @@ + log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd); + exit(108); + } ++ ++ /* ++ * Apply user resource limits based on login class. ++ */ ++ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) { ++ log_err("failed to login_getclassbyname()\n"); ++ exit(109); ++ } ++ if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) { ++ log_err("failed to setusercontext()\n"); ++ exit(109); ++ } + + /* + * Change UID/GID here so that the following tests work over NFS. +--- support/Makefile.in.orig Thu Nov 16 02:20:47 2006 ++++ support/Makefile.in Thu Nov 16 02:11:29 2006 +@@ -65,7 +65,7 @@ + + suexec_OBJECTS = suexec.lo + suexec: $(suexec_OBJECTS) +- $(LINK) $(suexec_OBJECTS) ++ $(LINK) -lutil $(suexec_OBJECTS) + + htcacheclean_OBJECTS = htcacheclean.lo + htcacheclean: $(htcacheclean_OBJECTS) --EeQfGwPcQSOJBaQU--