ports/136928: [PATCH] www/apache20 - suexec resource limits patch
Alex Keda
admin at lissyara.su
Mon Jul 20 12:30:07 UTC 2009
>Number: 136928
>Category: ports
>Synopsis: [PATCH] www/apache20 - suexec resource limits patch
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Mon Jul 20 12:30:06 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Alex Keda
>Release: 7.2
>Organization:
USSR
>Environment:
FreeBSD srv2.host-food.ru 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Tue May 12 17:09:23 MSD 2009 lissyara at srv2.host-food.ru:/home2/tmp/usr/src/sys/HOST-FOOD i386
>Description:
resource limit patch, based on http://www.freebsd.org/cgi/query-pr.cgi?pr=136091
I successful use it on 4 productions server (last 2 weeks)
>How-To-Repeat:
>Fix:
see patch
Patch attached with submission follows:
diff -Nru www/apache20.orig/apache20.suexec.login.conf.limits.diff www/apache20/apache20.suexec.login.conf.limits.diff
--- www/apache20.orig/apache20.suexec.login.conf.limits.diff 1970-01-01 03:00:00.000000000 +0300
+++ www/apache20/apache20.suexec.login.conf.limits.diff 2009-07-08 10:34:30.000000000 +0400
@@ -0,0 +1,50 @@
+diff -Nru www/apache20.orig/work/httpd-2.0.63/support/Makefile.in www/apache20/work/httpd-2.0.63/support/Makefile.in
+--- www/apache20.orig/work/httpd-2.0.63/support/Makefile.in 2009-07-08 10:27:36.000000000 +0400
++++ www/apache20/work/httpd-2.0.63/support/Makefile.in 2009-07-08 10:33:26.000000000 +0400
+@@ -57,7 +57,7 @@
+
+ suexec_OBJECTS = suexec.lo
+ suexec: $(suexec_OBJECTS)
+- $(LINK) $(suexec_OBJECTS)
++ $(LINK) -lutil $(suexec_OBJECTS)
+
+ httxt2dbm_OBJECTS = httxt2dbm.lo
+ httxt2dbm: $(httxt2dbm_OBJECTS)
+diff -Nru www/apache20.orig/work/httpd-2.0.63/support/suexec.c www/apache20/work/httpd-2.0.63/support/suexec.c
+--- www/apache20.orig/work/httpd-2.0.63/support/suexec.c 2006-07-12 11:40:55.000000000 +0400
++++ www/apache20/work/httpd-2.0.63/support/suexec.c 2009-07-08 10:32:47.000000000 +0400
+@@ -37,6 +37,7 @@
+ #include <sys/param.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
++#include <login_cap.h>
+ #include <string.h>
+ #include <time.h>
+ #if APR_HAVE_UNISTD_H
+@@ -242,6 +243,7 @@
+ char *cmd; /* command to be executed */
+ char cwd[AP_MAXPATH]; /* current working directory */
+ char dwd[AP_MAXPATH]; /* docroot working directory */
++ login_cap_t *lc; /* user resource limits */
+ struct passwd *pw; /* password entry holder */
+ struct group *gr; /* group entry holder */
+ struct stat dir_info; /* directory info holder */
+@@ -448,6 +450,18 @@
+ }
+
+ /*
++ * Apply user resource limits based on login class.
++ */
++ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
++ log_err("failed to login_getclassbyname()\n");
++ exit(109);
++ }
++ if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
++ log_err("failed to setusercontext()\n");
++ exit(109);
++ }
++
++ /*
+ * Change UID/GID here so that the following tests work over NFS.
+ *
+ * Initialize the group access list for the target user,
diff -Nru www/apache20.orig/files/patch-support:Makefile.in www/apache20/files/patch-support:Makefile.in
--- www/apache20.orig/files/patch-support:Makefile.in 2009-07-20 16:10:25.000000000 +0400
+++ www/apache20/files/patch-support:Makefile.in 2009-07-20 16:19:14.000000000 +0400
@@ -12,3 +12,13 @@
fi
htpasswd_OBJECTS = htpasswd.lo
+@@ -57,7 +57,7 @@
+
+ suexec_OBJECTS = suexec.lo
+ suexec: $(suexec_OBJECTS)
+- $(LINK) $(suexec_OBJECTS)
++ $(LINK) -lutil $(suexec_OBJECTS)
+
+ httxt2dbm_OBJECTS = httxt2dbm.lo
+ httxt2dbm: $(httxt2dbm_OBJECTS)
+
diff -Nru www/apache20.orig/files/patch-support:suexec.c www/apache20/files/patch-support:suexec.c
--- www/apache20.orig/files/patch-support:suexec.c 1970-01-01 03:00:00.000000000 +0300
+++ www/apache20/files/patch-support:suexec.c 2009-07-20 16:16:12.000000000 +0400
@@ -0,0 +1,37 @@
+--- support/suexec.c 2006-07-12 11:40:55.000000000 +0400
++++ support/suexec.c 2009-07-08 10:32:47.000000000 +0400
+@@ -37,6 +37,7 @@
+ #include <sys/param.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
++#include <login_cap.h>
+ #include <string.h>
+ #include <time.h>
+ #if APR_HAVE_UNISTD_H
+@@ -242,6 +243,7 @@
+ char *cmd; /* command to be executed */
+ char cwd[AP_MAXPATH]; /* current working directory */
+ char dwd[AP_MAXPATH]; /* docroot working directory */
++ login_cap_t *lc; /* user resource limits */
+ struct passwd *pw; /* password entry holder */
+ struct group *gr; /* group entry holder */
+ struct stat dir_info; /* directory info holder */
+@@ -448,6 +450,18 @@
+ }
+
+ /*
++ * Apply user resource limits based on login class.
++ */
++ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
++ log_err("failed to login_getclassbyname()\n");
++ exit(109);
++ }
++ if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
++ log_err("failed to setusercontext()\n");
++ exit(109);
++ }
++
++ /*
+ * Change UID/GID here so that the following tests work over NFS.
+ *
+ * Initialize the group access list for the target user,
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list