From owner-freebsd-ports-bugs@FreeBSD.ORG  Mon Jul 20 12:30:07 2009
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7FF20106566B
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Mon, 20 Jul 2009 12:30:07 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 5AE168FC0A
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Mon, 20 Jul 2009 12:30:07 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6KCU7wV068366
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Mon, 20 Jul 2009 12:30:07 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6KCU7SB068361;
	Mon, 20 Jul 2009 12:30:07 GMT (envelope-from gnats)
Resent-Date: Mon, 20 Jul 2009 12:30:07 GMT
Resent-Message-Id: <200907201230.n6KCU7SB068361@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Alex Keda <admin@lissyara.su>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CD1BB106564A
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 20 Jul 2009 12:27:05 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id BBC6F8FC13
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 20 Jul 2009 12:27:05 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n6KCR5Yr085477
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 20 Jul 2009 12:27:05 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n6KCR5EK085476;
	Mon, 20 Jul 2009 12:27:05 GMT (envelope-from nobody)
Message-Id: <200907201227.n6KCR5EK085476@www.freebsd.org>
Date: Mon, 20 Jul 2009 12:27:05 GMT
From: Alex Keda <admin@lissyara.su>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: ports/136928: [PATCH] www/apache20 - suexec resource limits patch
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2009 12:30:07 -0000


>Number:         136928
>Category:       ports
>Synopsis:       [PATCH] www/apache20 - suexec resource limits patch
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 20 12:30:06 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Alex Keda
>Release:        7.2
>Organization:
USSR
>Environment:
FreeBSD srv2.host-food.ru 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Tue May 12 17:09:23 MSD 2009     lissyara@srv2.host-food.ru:/home2/tmp/usr/src/sys/HOST-FOOD  i386
>Description:
resource limit patch, based on http://www.freebsd.org/cgi/query-pr.cgi?pr=136091
I successful use it on 4 productions server (last 2 weeks)
>How-To-Repeat:

>Fix:
see patch

Patch attached with submission follows:

diff -Nru www/apache20.orig/apache20.suexec.login.conf.limits.diff www/apache20/apache20.suexec.login.conf.limits.diff
--- www/apache20.orig/apache20.suexec.login.conf.limits.diff	1970-01-01 03:00:00.000000000 +0300
+++ www/apache20/apache20.suexec.login.conf.limits.diff	2009-07-08 10:34:30.000000000 +0400
@@ -0,0 +1,50 @@
+diff -Nru www/apache20.orig/work/httpd-2.0.63/support/Makefile.in www/apache20/work/httpd-2.0.63/support/Makefile.in
+--- www/apache20.orig/work/httpd-2.0.63/support/Makefile.in	2009-07-08 10:27:36.000000000 +0400
++++ www/apache20/work/httpd-2.0.63/support/Makefile.in	2009-07-08 10:33:26.000000000 +0400
+@@ -57,7 +57,7 @@
+ 
+ suexec_OBJECTS = suexec.lo
+ suexec: $(suexec_OBJECTS)
+-	$(LINK) $(suexec_OBJECTS)
++	$(LINK) -lutil $(suexec_OBJECTS)
+ 
+ httxt2dbm_OBJECTS = httxt2dbm.lo
+ httxt2dbm: $(httxt2dbm_OBJECTS)
+diff -Nru www/apache20.orig/work/httpd-2.0.63/support/suexec.c www/apache20/work/httpd-2.0.63/support/suexec.c
+--- www/apache20.orig/work/httpd-2.0.63/support/suexec.c	2006-07-12 11:40:55.000000000 +0400
++++ www/apache20/work/httpd-2.0.63/support/suexec.c	2009-07-08 10:32:47.000000000 +0400
+@@ -37,6 +37,7 @@
+ #include <sys/param.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
++#include <login_cap.h>
+ #include <string.h>
+ #include <time.h>
+ #if APR_HAVE_UNISTD_H
+@@ -242,6 +243,7 @@
+     char *cmd;              /* command to be executed    */
+     char cwd[AP_MAXPATH];   /* current working directory */
+     char dwd[AP_MAXPATH];   /* docroot working directory */
++    login_cap_t *lc;        /* user resource limits      */
+     struct passwd *pw;      /* password entry holder     */
+     struct group *gr;       /* group entry holder        */
+     struct stat dir_info;   /* directory info holder     */
+@@ -448,6 +450,18 @@
+     }
+ 
+     /*
++     * Apply user resource limits based on login class.
++     */
++    if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
++               log_err("failed to login_getclassbyname()\n");
++               exit(109);
++       }
++       if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
++               log_err("failed to setusercontext()\n");
++               exit(109);
++       }
++
++    /*
+      * Change UID/GID here so that the following tests work over NFS.
+      *
+      * Initialize the group access list for the target user,
diff -Nru www/apache20.orig/files/patch-support:Makefile.in www/apache20/files/patch-support:Makefile.in
--- www/apache20.orig/files/patch-support:Makefile.in	2009-07-20 16:10:25.000000000 +0400
+++ www/apache20/files/patch-support:Makefile.in	2009-07-20 16:19:14.000000000 +0400
@@ -12,3 +12,13 @@
  	fi
  
  htpasswd_OBJECTS = htpasswd.lo
+@@ -57,7 +57,7 @@
+
+ suexec_OBJECTS = suexec.lo
+ suexec: $(suexec_OBJECTS)
+-	$(LINK) $(suexec_OBJECTS)
++	$(LINK) -lutil $(suexec_OBJECTS)
+
+ httxt2dbm_OBJECTS = httxt2dbm.lo
+ httxt2dbm: $(httxt2dbm_OBJECTS)
+
diff -Nru www/apache20.orig/files/patch-support:suexec.c www/apache20/files/patch-support:suexec.c
--- www/apache20.orig/files/patch-support:suexec.c	1970-01-01 03:00:00.000000000 +0300
+++ www/apache20/files/patch-support:suexec.c	2009-07-20 16:16:12.000000000 +0400
@@ -0,0 +1,37 @@
+--- support/suexec.c	2006-07-12 11:40:55.000000000 +0400
++++ support/suexec.c	2009-07-08 10:32:47.000000000 +0400
+@@ -37,6 +37,7 @@
+ #include <sys/param.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
++#include <login_cap.h>
+ #include <string.h>
+ #include <time.h>
+ #if APR_HAVE_UNISTD_H
+@@ -242,6 +243,7 @@
+     char *cmd;              /* command to be executed    */
+     char cwd[AP_MAXPATH];   /* current working directory */
+     char dwd[AP_MAXPATH];   /* docroot working directory */
++    login_cap_t *lc;        /* user resource limits      */
+     struct passwd *pw;      /* password entry holder     */
+     struct group *gr;       /* group entry holder        */
+     struct stat dir_info;   /* directory info holder     */
+@@ -448,6 +450,18 @@
+     }
+ 
+     /*
++     * Apply user resource limits based on login class.
++     */
++    if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
++               log_err("failed to login_getclassbyname()\n");
++               exit(109);
++       }
++       if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
++               log_err("failed to setusercontext()\n");
++               exit(109);
++       }
++
++    /*
+      * Change UID/GID here so that the following tests work over NFS.
+      *
+      * Initialize the group access list for the target user,


>Release-Note:
>Audit-Trail:
>Unformatted: