Date: Wed, 11 Apr 2001 03:06:24 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Blaz Zupan <blaz@amis.net> Cc: Marcus Reid <marcus@blazingdot.com>, freebsd-isp@freebsd.org Subject: Re: Apache suexec and class capabilities Message-ID: <Pine.NEB.3.96L.1010411030418.84384A-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.4.33.0104090842210.53086-100000@titanic.medinet.si>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 9 Apr 2001, Blaz Zupan wrote: > > I'd like to subject any CGI run through Apache with suexec to the resource > > limitations imposed by login.conf. I see that there is a couple of patches > > to this effect included in the apache13-fp port, but they seem to be aimed > > at solving a problem with FrontPage extensions (which I'm not going to use.) > > > > Is there a patch floating around, or some way of doing this? > > Take a look at this one, it works fine for us: > > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=13606 I notice that this PR has aged quite a bit -- a better approach would probably be for us to verify it does everything we want, and then attempt to get it integrated on the Apache side. I've recently spent some time scouring our tree looking for situations where setusercontext() is not used, as setusercontext() will be responsible for maintaining additional process capabilities and MAC labels at login-time. Probably, the setusercontext() call in this patch should use SETLOGIN_ALL minus any SETLOGIN flags that need to be explicitly excluded. Perhaps ideally, it would also set the uid's and so on, although suexec probably also has its own notions on how to handle that. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010411030418.84384A-100000>