You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Philip M. Gollucci" <pg...@p6m7g8.com> on 2009/12/14 07:11:10 UTC
[patch]: suexec resource limits doesn't work
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/136091
By default suexec doesn't enforces different resource limitations
configured in login.conf(5). This is probably because resource
limitations are handled differently on various different platforms.
The attached patch modifies suexec behaviour to set resource limits for
CGI's from /etc/login.conf before execing the customers CGI script.
FWIW, www/apache13 has locally implemented this functionality for years
in freebsd ports so its time tested.
Updating all the exit() codes is an exercise left to the comitter.
$ ~/dev/repos/asf/asf/httpd/httpd/trunk> svn diff
Index: support/Makefile.in
===================================================================
--- support/Makefile.in (revision 889865)
+++ support/Makefile.in (working copy)
@@ -60,7 +60,7 @@
suexec_OBJECTS = suexec.lo
suexec: $(suexec_OBJECTS)
- $(LINK) $(suexec_OBJECTS)
+ $(LINK) -lutil $(suexec_OBJECTS)
htcacheclean_OBJECTS = htcacheclean.lo
htcacheclean: $(htcacheclean_OBJECTS)
Index: support/suexec.c
===================================================================
--- support/suexec.c (revision 889865)
+++ support/suexec.c (working copy)
@@ -37,6 +37,7 @@
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/types.h>
+#include <login_cap.h>
#include <string.h>
#include <time.h>
#if APR_HAVE_UNISTD_H
@@ -239,6 +240,7 @@
char *cmd; /* command to be executed */
char cwd[AP_MAXPATH]; /* current working directory */
char dwd[AP_MAXPATH]; /* docroot working directory */
+ login_cap_t *lc /* user resource limits */
struct passwd *pw; /* password entry holder */
struct group *gr; /* group entry holder */
struct stat dir_info; /* directory info holder */
@@ -447,6 +449,18 @@
}
/*
+ * Apply user resource limits based on login class.
+ */
+ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
+ log_err("failed to login_getclassbyname()\n");
+ exit(109);
+ }
+ if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
+ log_err("failed to setusercontext()\n");
+ exit(109);
+ }
+
+ /*
* Change UID/GID here so that the following tests work over NFS.
*
* Initialize the group access list for the target user,
--
------------------------------------------------------------------------
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70 3F8C 75B8 8FFB DB9B 8C1C
Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354
VP Apache Infrastructure; Member, Apache Software Foundation
Committer, FreeBSD Foundation
Consultant, P6M7G8 Inc.
Sr. System Admin, Ridecharge Inc.
Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.