Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Jul 2009 12:27:05 GMT
From:      Alex Keda <admin@lissyara.su>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/136928: [PATCH] www/apache20 - suexec resource limits patch
Message-ID:  <200907201227.n6KCR5EK085476@www.freebsd.org>
Resent-Message-ID: <200907201230.n6KCU7SB068361@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         136928
>Category:       ports
>Synopsis:       [PATCH] www/apache20 - suexec resource limits patch
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 20 12:30:06 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Alex Keda
>Release:        7.2
>Organization:
USSR
>Environment:
FreeBSD srv2.host-food.ru 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Tue May 12 17:09:23 MSD 2009     lissyara@srv2.host-food.ru:/home2/tmp/usr/src/sys/HOST-FOOD  i386
>Description:
resource limit patch, based on http://www.freebsd.org/cgi/query-pr.cgi?pr=136091
I successful use it on 4 productions server (last 2 weeks)
>How-To-Repeat:

>Fix:
see patch

Patch attached with submission follows:

diff -Nru www/apache20.orig/apache20.suexec.login.conf.limits.diff www/apache20/apache20.suexec.login.conf.limits.diff
--- www/apache20.orig/apache20.suexec.login.conf.limits.diff	1970-01-01 03:00:00.000000000 +0300
+++ www/apache20/apache20.suexec.login.conf.limits.diff	2009-07-08 10:34:30.000000000 +0400
@@ -0,0 +1,50 @@
+diff -Nru www/apache20.orig/work/httpd-2.0.63/support/Makefile.in www/apache20/work/httpd-2.0.63/support/Makefile.in
+--- www/apache20.orig/work/httpd-2.0.63/support/Makefile.in	2009-07-08 10:27:36.000000000 +0400
++++ www/apache20/work/httpd-2.0.63/support/Makefile.in	2009-07-08 10:33:26.000000000 +0400
+@@ -57,7 +57,7 @@
+ 
+ suexec_OBJECTS = suexec.lo
+ suexec: $(suexec_OBJECTS)
+-	$(LINK) $(suexec_OBJECTS)
++	$(LINK) -lutil $(suexec_OBJECTS)
+ 
+ httxt2dbm_OBJECTS = httxt2dbm.lo
+ httxt2dbm: $(httxt2dbm_OBJECTS)
+diff -Nru www/apache20.orig/work/httpd-2.0.63/support/suexec.c www/apache20/work/httpd-2.0.63/support/suexec.c
+--- www/apache20.orig/work/httpd-2.0.63/support/suexec.c	2006-07-12 11:40:55.000000000 +0400
++++ www/apache20/work/httpd-2.0.63/support/suexec.c	2009-07-08 10:32:47.000000000 +0400
+@@ -37,6 +37,7 @@
+ #include <sys/param.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
++#include <login_cap.h>
+ #include <string.h>
+ #include <time.h>
+ #if APR_HAVE_UNISTD_H
+@@ -242,6 +243,7 @@
+     char *cmd;              /* command to be executed    */
+     char cwd[AP_MAXPATH];   /* current working directory */
+     char dwd[AP_MAXPATH];   /* docroot working directory */
++    login_cap_t *lc;        /* user resource limits      */
+     struct passwd *pw;      /* password entry holder     */
+     struct group *gr;       /* group entry holder        */
+     struct stat dir_info;   /* directory info holder     */
+@@ -448,6 +450,18 @@
+     }
+ 
+     /*
++     * Apply user resource limits based on login class.
++     */
++    if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
++               log_err("failed to login_getclassbyname()\n");
++               exit(109);
++       }
++       if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
++               log_err("failed to setusercontext()\n");
++               exit(109);
++       }
++
++    /*
+      * Change UID/GID here so that the following tests work over NFS.
+      *
+      * Initialize the group access list for the target user,
diff -Nru www/apache20.orig/files/patch-support:Makefile.in www/apache20/files/patch-support:Makefile.in
--- www/apache20.orig/files/patch-support:Makefile.in	2009-07-20 16:10:25.000000000 +0400
+++ www/apache20/files/patch-support:Makefile.in	2009-07-20 16:19:14.000000000 +0400
@@ -12,3 +12,13 @@
  	fi
  
  htpasswd_OBJECTS = htpasswd.lo
+@@ -57,7 +57,7 @@
+
+ suexec_OBJECTS = suexec.lo
+ suexec: $(suexec_OBJECTS)
+-	$(LINK) $(suexec_OBJECTS)
++	$(LINK) -lutil $(suexec_OBJECTS)
+
+ httxt2dbm_OBJECTS = httxt2dbm.lo
+ httxt2dbm: $(httxt2dbm_OBJECTS)
+
diff -Nru www/apache20.orig/files/patch-support:suexec.c www/apache20/files/patch-support:suexec.c
--- www/apache20.orig/files/patch-support:suexec.c	1970-01-01 03:00:00.000000000 +0300
+++ www/apache20/files/patch-support:suexec.c	2009-07-20 16:16:12.000000000 +0400
@@ -0,0 +1,37 @@
+--- support/suexec.c	2006-07-12 11:40:55.000000000 +0400
++++ support/suexec.c	2009-07-08 10:32:47.000000000 +0400
+@@ -37,6 +37,7 @@
+ #include <sys/param.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
++#include <login_cap.h>
+ #include <string.h>
+ #include <time.h>
+ #if APR_HAVE_UNISTD_H
+@@ -242,6 +243,7 @@
+     char *cmd;              /* command to be executed    */
+     char cwd[AP_MAXPATH];   /* current working directory */
+     char dwd[AP_MAXPATH];   /* docroot working directory */
++    login_cap_t *lc;        /* user resource limits      */
+     struct passwd *pw;      /* password entry holder     */
+     struct group *gr;       /* group entry holder        */
+     struct stat dir_info;   /* directory info holder     */
+@@ -448,6 +450,18 @@
+     }
+ 
+     /*
++     * Apply user resource limits based on login class.
++     */
++    if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
++               log_err("failed to login_getclassbyname()\n");
++               exit(109);
++       }
++       if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
++               log_err("failed to setusercontext()\n");
++               exit(109);
++       }
++
++    /*
+      * Change UID/GID here so that the following tests work over NFS.
+      *
+      * Initialize the group access list for the target user,


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200907201227.n6KCR5EK085476>