Date: Mon, 20 Jul 2009 12:27:05 GMT From: Alex Keda <admin@lissyara.su> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/136928: [PATCH] www/apache20 - suexec resource limits patch Message-ID: <200907201227.n6KCR5EK085476@www.freebsd.org> Resent-Message-ID: <200907201230.n6KCU7SB068361@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 136928 >Category: ports >Synopsis: [PATCH] www/apache20 - suexec resource limits patch >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Mon Jul 20 12:30:06 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Alex Keda >Release: 7.2 >Organization: USSR >Environment: FreeBSD srv2.host-food.ru 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Tue May 12 17:09:23 MSD 2009 lissyara@srv2.host-food.ru:/home2/tmp/usr/src/sys/HOST-FOOD i386 >Description: resource limit patch, based on http://www.freebsd.org/cgi/query-pr.cgi?pr=136091 I successful use it on 4 productions server (last 2 weeks) >How-To-Repeat: >Fix: see patch Patch attached with submission follows: diff -Nru www/apache20.orig/apache20.suexec.login.conf.limits.diff www/apache20/apache20.suexec.login.conf.limits.diff --- www/apache20.orig/apache20.suexec.login.conf.limits.diff 1970-01-01 03:00:00.000000000 +0300 +++ www/apache20/apache20.suexec.login.conf.limits.diff 2009-07-08 10:34:30.000000000 +0400 @@ -0,0 +1,50 @@ +diff -Nru www/apache20.orig/work/httpd-2.0.63/support/Makefile.in www/apache20/work/httpd-2.0.63/support/Makefile.in +--- www/apache20.orig/work/httpd-2.0.63/support/Makefile.in 2009-07-08 10:27:36.000000000 +0400 ++++ www/apache20/work/httpd-2.0.63/support/Makefile.in 2009-07-08 10:33:26.000000000 +0400 +@@ -57,7 +57,7 @@ + + suexec_OBJECTS = suexec.lo + suexec: $(suexec_OBJECTS) +- $(LINK) $(suexec_OBJECTS) ++ $(LINK) -lutil $(suexec_OBJECTS) + + httxt2dbm_OBJECTS = httxt2dbm.lo + httxt2dbm: $(httxt2dbm_OBJECTS) +diff -Nru www/apache20.orig/work/httpd-2.0.63/support/suexec.c www/apache20/work/httpd-2.0.63/support/suexec.c +--- www/apache20.orig/work/httpd-2.0.63/support/suexec.c 2006-07-12 11:40:55.000000000 +0400 ++++ www/apache20/work/httpd-2.0.63/support/suexec.c 2009-07-08 10:32:47.000000000 +0400 +@@ -37,6 +37,7 @@ + #include <sys/param.h> + #include <sys/stat.h> + #include <sys/types.h> ++#include <login_cap.h> + #include <string.h> + #include <time.h> + #if APR_HAVE_UNISTD_H +@@ -242,6 +243,7 @@ + char *cmd; /* command to be executed */ + char cwd[AP_MAXPATH]; /* current working directory */ + char dwd[AP_MAXPATH]; /* docroot working directory */ ++ login_cap_t *lc; /* user resource limits */ + struct passwd *pw; /* password entry holder */ + struct group *gr; /* group entry holder */ + struct stat dir_info; /* directory info holder */ +@@ -448,6 +450,18 @@ + } + + /* ++ * Apply user resource limits based on login class. ++ */ ++ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) { ++ log_err("failed to login_getclassbyname()\n"); ++ exit(109); ++ } ++ if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) { ++ log_err("failed to setusercontext()\n"); ++ exit(109); ++ } ++ ++ /* + * Change UID/GID here so that the following tests work over NFS. + * + * Initialize the group access list for the target user, diff -Nru www/apache20.orig/files/patch-support:Makefile.in www/apache20/files/patch-support:Makefile.in --- www/apache20.orig/files/patch-support:Makefile.in 2009-07-20 16:10:25.000000000 +0400 +++ www/apache20/files/patch-support:Makefile.in 2009-07-20 16:19:14.000000000 +0400 @@ -12,3 +12,13 @@ fi htpasswd_OBJECTS = htpasswd.lo +@@ -57,7 +57,7 @@ + + suexec_OBJECTS = suexec.lo + suexec: $(suexec_OBJECTS) +- $(LINK) $(suexec_OBJECTS) ++ $(LINK) -lutil $(suexec_OBJECTS) + + httxt2dbm_OBJECTS = httxt2dbm.lo + httxt2dbm: $(httxt2dbm_OBJECTS) + diff -Nru www/apache20.orig/files/patch-support:suexec.c www/apache20/files/patch-support:suexec.c --- www/apache20.orig/files/patch-support:suexec.c 1970-01-01 03:00:00.000000000 +0300 +++ www/apache20/files/patch-support:suexec.c 2009-07-20 16:16:12.000000000 +0400 @@ -0,0 +1,37 @@ +--- support/suexec.c 2006-07-12 11:40:55.000000000 +0400 ++++ support/suexec.c 2009-07-08 10:32:47.000000000 +0400 +@@ -37,6 +37,7 @@ + #include <sys/param.h> + #include <sys/stat.h> + #include <sys/types.h> ++#include <login_cap.h> + #include <string.h> + #include <time.h> + #if APR_HAVE_UNISTD_H +@@ -242,6 +243,7 @@ + char *cmd; /* command to be executed */ + char cwd[AP_MAXPATH]; /* current working directory */ + char dwd[AP_MAXPATH]; /* docroot working directory */ ++ login_cap_t *lc; /* user resource limits */ + struct passwd *pw; /* password entry holder */ + struct group *gr; /* group entry holder */ + struct stat dir_info; /* directory info holder */ +@@ -448,6 +450,18 @@ + } + + /* ++ * Apply user resource limits based on login class. ++ */ ++ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) { ++ log_err("failed to login_getclassbyname()\n"); ++ exit(109); ++ } ++ if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) { ++ log_err("failed to setusercontext()\n"); ++ exit(109); ++ } ++ ++ /* + * Change UID/GID here so that the following tests work over NFS. + * + * Initialize the group access list for the target user, >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200907201227.n6KCR5EK085476>