From owner-freebsd-isp Thu Apr 12 1:39:16 2001 Delivered-To: freebsd-isp@freebsd.org Received: from zork.punq.net (punq.net [207.154.84.94]) by hub.freebsd.org (Postfix) with SMTP id E107737B43F for ; Thu, 12 Apr 2001 01:39:11 -0700 (PDT) (envelope-from marcus@blazingdot.com) Received: (qmail 50347 invoked by uid 1000); 12 Apr 2001 08:39:11 -0000 Date: Thu, 12 Apr 2001 01:39:11 -0700 From: Marcus Reid To: Robert Watson Cc: freebsd-isp@freebsd.org Subject: Re: Apache suexec and class capabilities Message-ID: <20010412013911.A45054@blazingdot.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@freebsd.org on Wed, Apr 11, 2001 at 03:06:24AM -0400 Coffee-Level: high Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 11, 2001 at 03:06:24AM -0400, Robert Watson wrote: > > On Mon, 9 Apr 2001, Blaz Zupan wrote: > > > > I'd like to subject any CGI run through Apache with suexec to the resource > > > limitations imposed by login.conf. I see that there is a couple of patches > > > to this effect included in the apache13-fp port, but they seem to be aimed > > > at solving a problem with FrontPage extensions (which I'm not going to use.) > > > > > > Is there a patch floating around, or some way of doing this? > > > > Take a look at this one, it works fine for us: > > > > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=13606 > > I notice that this PR has aged quite a bit -- a better approach would > probably be for us to verify it does everything we want, and then attempt > to get it integrated on the Apache side. I've recently spent some time > scouring our tree looking for situations where setusercontext() is not > used, as setusercontext() will be responsible for maintaining additional > process capabilities and MAC labels at login-time. Probably, the > setusercontext() call in this patch should use SETLOGIN_ALL minus any > SETLOGIN flags that need to be explicitly excluded. Perhaps ideally, it > would also set the uid's and so on, although suexec probably also has its > own notions on how to handle that. > > Robert N M Watson FreeBSD Core Team, TrustedBSD Project > robert@fledge.watson.org NAI Labs, Safeport Network Services > SUEXEC sets the path to compile-time values, only lets a ''safe'' set of environment variables through, sets the umask if specified compile-time and has its own UID/GID stuff, leaving a whopping LOGIN_SETRESOURCES|LOGIN_SETPRIORITY left for the setusercontext() flags. It seems nice to be able to set the priority (no pun intended) so I put that in there as well. -- Marcus Reid Blazingdot.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message