ports/136091: [PATCH] www/apache22 - suexec resource limits patch

Sat Jun 27 14:40:02 UTC 2009

>Number:         136091
>Category:       ports
>Synopsis:       [PATCH] www/apache22 - suexec resource limits patch
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 27 14:40:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Alexey V. Degtyarev
>Release:        FreeBSD 7.1-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD renatasystems.org 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan 1 08:58:24 UTC 2009 root at driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64


	
>Description:
By default suexec doesn't enforces different resource limitations configured in
login.conf(5).  This is probably because resource limitations are handled
differently on various different platforms.

The attached patch modifies suexec behaviour to set resource limits for CGI's
from /etc/login.conf before execing the customers CGI script.

This functionality already been implemented in www/apache13 with patch-ak,
patch-ba, and patch-bb.
>How-To-Repeat:
	
>Fix:

--- apache22.patch begins here ---
diff -u -Nr apache22.orig/Makefile apache22/Makefile
--- apache22.orig/Makefile	2009-06-18 19:40:42.000000000 +0400
+++ apache22/Makefile	2009-06-27 17:19:08.000000000 +0400
@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.2.11
-PORTREVISION?=	7
+PORTREVISION?=	8
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD}
 DISTNAME=	httpd-${PORTVERSION}
diff -u -Nr apache22.orig/files/patch-suexec_rsrclimit apache22/files/patch-suexec_rsrclimit
--- apache22.orig/files/patch-suexec_rsrclimit	1970-01-01 03:00:00.000000000 +0300
+++ apache22/files/patch-suexec_rsrclimit	2009-06-27 17:08:57.000000000 +0400
@@ -0,0 +1,49 @@
+# http://www.chrishardie.com/tech/apache/suexec_rsrclimit.html
+--- support/suexec.c.orig	Wed Jul 12 07:38:44 2006
++++ support/suexec.c		Wed Nov 15 23:58:04 2006
+@@ -37,6 +37,7 @@
+ #include <sys/param.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
++#include <login_cap.h>
+ #include <string.h>
+ #include <time.h>
+ #if APR_HAVE_UNISTD_H
+@@ -259,6 +260,7 @@
+     char *cmd;              /* command to be executed    */
+     char cwd[AP_MAXPATH];   /* current working directory */
+     char dwd[AP_MAXPATH];   /* docroot working directory */
++    login_cap_t *lc;        /* user resource limits      */
+     struct passwd *pw;      /* password entry holder     */
+     struct group *gr;       /* group entry holder        */
+     struct stat dir_info;   /* directory info holder     */
+@@ -463,6 +465,18 @@
+         log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
+         exit(108);
+     }
++
++    /*
++     * Apply user resource limits based on login class.
++     */
++    if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
++		log_err("failed to login_getclassbyname()\n");
++		exit(109);
++	}
++	if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
++		log_err("failed to setusercontext()\n");
++		exit(109);
++	}
+ 
+     /*
+      * Change UID/GID here so that the following tests work over NFS.
+--- support/Makefile.in.orig	Thu Nov 16 02:20:47 2006
++++ support/Makefile.in	Thu Nov 16 02:11:29 2006
+@@ -65,7 +65,7 @@
+ 
+ suexec_OBJECTS = suexec.lo
+ suexec: $(suexec_OBJECTS)
+-	$(LINK) $(suexec_OBJECTS)
++	$(LINK) -lutil $(suexec_OBJECTS)
+ 
+ htcacheclean_OBJECTS = htcacheclean.lo
+ htcacheclean: $(htcacheclean_OBJECTS)
--- apache22.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

