ports/136091: [PATCH] www/apache22 - suexec resource limits
patch
Alexey V. Degtyarev
alexey at renatasystems.org
Tue Jul 7 18:40:05 UTC 2009
The following reply was made to PR ports/136091; it has been noted by GNATS.
From: "Alexey V. Degtyarev" <alexey at renatasystems.org>
To: S?bastien Santoro <dereckson at gmail.com>
Cc: bug-followup at FreeBSD.org
Subject: Re: ports/136091: [PATCH] www/apache22 - suexec resource limits
patch
Date: Tue, 7 Jul 2009 22:03:36 +0400
--EeQfGwPcQSOJBaQU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
> Should be an optional patch, please consider adding a make config option.
Ok, I have attached diff with this patch enabled via config option
(default is off).
+ minor code cleanup for Makefile: [129]: whitespace before end of line.
--
Alexey V. Degtyarev
--EeQfGwPcQSOJBaQU
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="apache22.patch"
diff -u -N -r apache22.orig/Makefile apache22/Makefile
--- apache22.orig/Makefile 2009-06-18 19:40:42.000000000 +0400
+++ apache22/Makefile 2009-07-07 21:24:54.000000000 +0400
@@ -126,7 +126,7 @@
.if defined(WITH_APR_FROM_PORTS)
PLIST_SUB+= APR_PORTS="@comment "
-APR_PORT?= devel/apr
+APR_PORT?= devel/apr
LIB_DEPENDS+= apr-1:${PORTSDIR}/${APR_PORT}
CONFIGURE_ARGS+= --with-apr=${LOCALBASE}/bin/apr-1-config \
--with-apr-util=${LOCALBASE}/bin/apu-1-config
@@ -169,6 +169,14 @@
. endif
.endif
+.if defined(WITH_SUEXEC_RSRCLIMIT)
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-suexec_rsrclimit
+.if !defined(WITH_SUEXEC)
+IGNORE= suEXEC resource limit patch requires mod_suexec.\
+ Please (re)run 'make config' and choose SUEXEC option also
+.endif
+.endif
+
CONFIGURE_ARGS+= --with-mpm=${WITH_MPM:L}
pre-everything::
diff -u -N -r apache22.orig/Makefile.options apache22/Makefile.options
--- apache22.orig/Makefile.options 2009-06-12 16:35:33.000000000 +0400
+++ apache22/Makefile.options 2009-07-07 21:22:40.000000000 +0400
@@ -71,5 +71,6 @@
PROXY_BALANCER "Enable mod_proxy_balancer" OFF \
SSL "Enable mod_ssl" ON \
SUEXEC "Enable mod_suexec" OFF \
+ SUEXEC_RSRCLIMIT "SuEXEC rlimits based on login class" OFF \
CGID "Enable mod_cgid" OFF \
diff -u -N -r apache22.orig/files/extra-patch-suexec_rsrclimit apache22/files/extra-patch-suexec_rsrclimit
--- apache22.orig/files/extra-patch-suexec_rsrclimit 1970-01-01 03:00:00.000000000 +0300
+++ apache22/files/extra-patch-suexec_rsrclimit 2009-06-27 17:08:57.000000000 +0400
@@ -0,0 +1,49 @@
+# http://www.chrishardie.com/tech/apache/suexec_rsrclimit.html
+--- support/suexec.c.orig Wed Jul 12 07:38:44 2006
++++ support/suexec.c Wed Nov 15 23:58:04 2006
+@@ -37,6 +37,7 @@
+ #include <sys/param.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
++#include <login_cap.h>
+ #include <string.h>
+ #include <time.h>
+ #if APR_HAVE_UNISTD_H
+@@ -259,6 +260,7 @@
+ char *cmd; /* command to be executed */
+ char cwd[AP_MAXPATH]; /* current working directory */
+ char dwd[AP_MAXPATH]; /* docroot working directory */
++ login_cap_t *lc; /* user resource limits */
+ struct passwd *pw; /* password entry holder */
+ struct group *gr; /* group entry holder */
+ struct stat dir_info; /* directory info holder */
+@@ -463,6 +465,18 @@
+ log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
+ exit(108);
+ }
++
++ /*
++ * Apply user resource limits based on login class.
++ */
++ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
++ log_err("failed to login_getclassbyname()\n");
++ exit(109);
++ }
++ if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
++ log_err("failed to setusercontext()\n");
++ exit(109);
++ }
+
+ /*
+ * Change UID/GID here so that the following tests work over NFS.
+--- support/Makefile.in.orig Thu Nov 16 02:20:47 2006
++++ support/Makefile.in Thu Nov 16 02:11:29 2006
+@@ -65,7 +65,7 @@
+
+ suexec_OBJECTS = suexec.lo
+ suexec: $(suexec_OBJECTS)
+- $(LINK) $(suexec_OBJECTS)
++ $(LINK) -lutil $(suexec_OBJECTS)
+
+ htcacheclean_OBJECTS = htcacheclean.lo
+ htcacheclean: $(htcacheclean_OBJECTS)
--EeQfGwPcQSOJBaQU--
More information about the freebsd-apache
mailing list