From owner-freebsd-isp  Wed Apr 11  0: 6:19 2001
Delivered-To: freebsd-isp@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 6C57537B422
	for <freebsd-isp@freebsd.org>; Wed, 11 Apr 2001 00:06:16 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.3/8.11.3) with SMTP id f3B76Pf84991;
	Wed, 11 Apr 2001 03:06:26 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Wed, 11 Apr 2001 03:06:24 -0400 (EDT)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Blaz Zupan <blaz@amis.net>
Cc: Marcus Reid <marcus@blazingdot.com>, freebsd-isp@freebsd.org
Subject: Re: Apache suexec and class capabilities
In-Reply-To: <Pine.BSF.4.33.0104090842210.53086-100000@titanic.medinet.si>
Message-ID: <Pine.NEB.3.96L.1010411030418.84384A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On Mon, 9 Apr 2001, Blaz Zupan wrote:

> > I'd like to subject any CGI run through Apache with suexec to the resource
> > limitations imposed by login.conf. I see that there is a couple of patches
> > to this effect included in the apache13-fp port, but they seem to be aimed
> > at solving a problem with FrontPage extensions (which I'm not going to use.)
> >
> > Is there a patch floating around, or some way of doing this?
> 
> Take a look at this one, it works fine for us:
> 
> http://www.FreeBSD.org/cgi/query-pr.cgi?pr=13606

I notice that this PR has aged quite a bit -- a better approach would
probably be for us to verify it does everything we want, and then attempt
to get it integrated on the Apache side.  I've recently spent some time
scouring our tree looking for situations where setusercontext() is not
used, as setusercontext() will be responsible for maintaining additional
process capabilities and MAC labels at login-time.  Probably, the
setusercontext() call in this patch should use SETLOGIN_ALL minus any
SETLOGIN flags that need to be explicitly excluded.  Perhaps ideally, it
would also set the uid's and so on, although suexec probably also has its
own notions on how to handle that.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message