You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Philip M. Gollucci" <pg...@p6m7g8.com> on 2009/12/14 07:11:10 UTC

[patch]: suexec resource limits doesn't work

http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/136091

By default suexec doesn't enforces different resource limitations 
configured in login.conf(5). This is probably because resource 
limitations are handled differently on various different platforms.

The attached patch modifies suexec behaviour to set resource limits for 
CGI's from /etc/login.conf before execing the customers CGI script.

FWIW, www/apache13 has locally implemented this functionality for years 
in freebsd ports so its time tested.

Updating all the exit() codes is an exercise left to the comitter.


$ ~/dev/repos/asf/asf/httpd/httpd/trunk> svn diff
Index: support/Makefile.in
===================================================================
--- support/Makefile.in (revision 889865)
+++ support/Makefile.in (working copy)
@@ -60,7 +60,7 @@

  suexec_OBJECTS = suexec.lo
  suexec: $(suexec_OBJECTS)
-       $(LINK) $(suexec_OBJECTS)
+       $(LINK) -lutil $(suexec_OBJECTS)

  htcacheclean_OBJECTS = htcacheclean.lo
  htcacheclean: $(htcacheclean_OBJECTS)
Index: support/suexec.c
===================================================================
--- support/suexec.c    (revision 889865)
+++ support/suexec.c    (working copy)
@@ -37,6 +37,7 @@
  #include <sys/param.h>
  #include <sys/stat.h>
  #include <sys/types.h>
+#include <login_cap.h>
  #include <string.h>
  #include <time.h>
  #if APR_HAVE_UNISTD_H
@@ -239,6 +240,7 @@
      char *cmd;              /* command to be executed    */
      char cwd[AP_MAXPATH];   /* current working directory */
      char dwd[AP_MAXPATH];   /* docroot working directory */
+    login_cap_t *lc         /* user resource limits      */
      struct passwd *pw;      /* password entry holder     */
      struct group *gr;       /* group entry holder        */
      struct stat dir_info;   /* directory info holder     */
@@ -447,6 +449,18 @@
      }

      /*
+     * Apply user resource limits based on login class.
+     */
+    if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
+        log_err("failed to login_getclassbyname()\n");
+        exit(109);
+    }
+    if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
+        log_err("failed to setusercontext()\n");
+        exit(109);
+    }
+
+    /*
       * Change UID/GID here so that the following tests work over NFS.
       *
       * Initialize the group access list for the target user,
-- 
------------------------------------------------------------------------
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70  3F8C 75B8 8FFB DB9B 8C1C
Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354
VP Apache Infrastructure; Member, Apache Software Foundation
Committer,                        FreeBSD Foundation
Consultant,                       P6M7G8 Inc.
Sr. System Admin,                 Ridecharge Inc.

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.