Date: Fri, 1 Jul 2011 11:30:27 GMT From: Ildar Ibragimov <dar.quonb@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/158565: Add rlimits based on login class for mpm-itk Message-ID: <201107011130.p61BUR6I045753@red.freebsd.org> Resent-Message-ID: <201107011140.p61Be7K0080296@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 158565
>Category: ports
>Synopsis: Add rlimits based on login class for mpm-itk
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Jul 01 11:40:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Ildar Ibragimov
>Release: 8.2 amd64
>Organization:
>Environment:
>Description:
By default before setuid() and setguid() calls Apache with mpm-itk do not apply login class restrictions.
>How-To-Repeat:
Install Apache 2.2 from www/apache22-itk-mpm
>Fix:
Apply patch.
It adds an extra patch that is based on extra-patch-suexec_rsrclimit and a new option knob to switch behaviour for only for www/apache22-itk-mpm port.
Patch attached with submission follows:
diff -Nru apache22.orig/Makefile apache22/Makefile
--- apache22.orig/Makefile 2011-07-01 11:00:46.000000000 +0000
+++ apache22/Makefile 2011-07-01 11:16:07.000000000 +0000
@@ -52,6 +52,8 @@
APACHEDIR= ${MASTERDIR}
.endif
+WITH_MPM?= prefork # or worker, event, itk
+
.if !defined(WITHOUT_APACHE_OPTIONS)
OPTIONS= \
THREADS "Enable threads support in APR" Off \
@@ -61,6 +63,9 @@
IPV6 "Enable IPv6 support" On \
BDB "Enable BerkeleyDB dbm" Off
.include "${APACHEDIR}/Makefile.options"
+.if ${WITH_MPM:L} == "itk"
+OPTIONS+=ITK_LIMITS "mpm-itk rlimits based on login class" Off
+.endif
.endif
.if defined(WITH_SUEXEC_RSRCLIMIT)
@@ -94,8 +99,6 @@
MAKE_ENV+= EXPR_COMPAT=yes \
INSTALL_MAN="${INSTALL_MAN}"
-WITH_MPM?= prefork # or worker, event, itk
-
WITH_HTTP_PORT?= 80
.if defined(WITH_STATIC_SUPPORT)
diff -Nru apache22.orig/Makefile.modules apache22/Makefile.modules
--- apache22.orig/Makefile.modules 2011-07-01 11:00:46.000000000 +0000
+++ apache22/Makefile.modules 2011-07-01 11:01:44.000000000 +0000
@@ -65,6 +65,9 @@
. elif ${WITH_MPM:L} == "itk"
PLIST_SUB+= PREFORK="@comment " WORKER="@comment " EVENT="@comment "
EXTRA_PATCHES+= ${PATCHDIR}/mpm-itk-${MPM_ITK_VERSION}
+. if defined (WITH_ITK_LIMITS)
+EXTRA_PATCHES+= ${PATCHDIR}/mpm-itk-limits
+. endif
. if defined (WITH_ITK_PERDIR_REGEX)
EXTRA_PATCHES+= ${PATCHDIR}/mpm-itk-perdir-regex
. endif
diff -Nru apache22.orig/files/mpm-itk-limits apache22/files/mpm-itk-limits
--- apache22.orig/files/mpm-itk-limits 1970-01-01 00:00:00.000000000 +0000
+++ apache22/files/mpm-itk-limits 2011-07-01 10:34:36.000000000 +0000
@@ -0,0 +1,53 @@
+--- server/mpm/experimental/itk/Makefile.in.orig 2011-07-01 10:33:45.000000000 +0000
++++ server/mpm/experimental/itk/Makefile.in 2011-07-01 10:33:57.000000000 +0000
+@@ -1,5 +1,6 @@
+
+ LTLIBRARY_NAME = libitk.la
+ LTLIBRARY_SOURCES = itk.c
++LTLIBRARY_LIBADD = -lutil
+
+ include $(top_srcdir)/build/ltlib.mk
+--- server/mpm/experimental/itk/itk.c.orig 2011-07-01 10:04:40.000000000 +0000
++++ server/mpm/experimental/itk/itk.c 2011-07-01 10:17:19.000000000 +0000
+@@ -41,6 +41,8 @@
+ #if APR_HAVE_SYS_TYPES_H
+ #include <sys/types.h>
+ #endif
++#include <pwd.h>
++#include <login_cap.h>
+
+ #define CORE_PRIVATE
+
+@@ -1438,6 +1440,8 @@
+ gid_t wanted_gid;
+ const char *wanted_username;
+ int err = 0;
++ struct passwd *pw;
++ login_cap_t *lc;
+
+ itk_server_conf *sconf =
+ (itk_server_conf *) ap_get_module_config(r->server->module_config, &mpm_itk_module);
+@@ -1481,6 +1485,23 @@
+ wanted_username = unixd_config.user_name;
+ }
+
++ if ((pw = getpwuid(wanted_uid)) == NULL) {
++ _DBG("crit: invalid uid: (%ld)", wanted_uid, strerror(errno));
++ err = 1;
++ }
++
++ /*
++ * Apply user resource limits based on login class.
++ */
++ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
++ _DBG("failed to login_getclassbyname()", strerror(errno));
++ err = 1;
++ }
++ if ((setusercontext(lc, pw, wanted_uid, LOGIN_SETRESOURCES)) != 0) {
++ _DBG("failed to setusercontext()", strerror(errno));
++ err = 1;
++ }
++
+ if (!err && wanted_uid != -1 && wanted_gid != -1 && (getuid() != wanted_uid || getgid() != wanted_gid)) {
+ if (setgid(wanted_gid)) {
+ _DBG("setgid(%d): %s", wanted_gid, strerror(errno));
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201107011130.p61BUR6I045753>