Attachment #97366 for bug #136091





.if defined(WITH_APR_FROM_PORTS)
PLIST_SUB+=	APR_PORTS="@comment "
APR_PORT?=	devel/apr
LIB_DEPENDS+=	apr-1:${PORTSDIR}/${APR_PORT}
CONFIGURE_ARGS+=	--with-apr=${LOCALBASE}/bin/apr-1-config \
			--with-apr-util=${LOCALBASE}/bin/apu-1-config

.   endif
.endif

.if defined(WITH_SUEXEC_RSRCLIMIT)
EXTRA_PATCHES+=	${FILESDIR}/extra-patch-suexec_rsrclimit
.if !defined(WITH_SUEXEC)
IGNORE=		suEXEC resource limit patch requires mod_suexec.\
		Please (re)run 'make config' and choose SUEXEC option also
.endif
.endif

CONFIGURE_ARGS+=	--with-mpm=${WITH_MPM:L}

pre-everything::

Lines 71-75 Link Here

(-)apache22/Makefile.options (+1 lines)
71	PROXY_BALANCER "Enable mod_proxy_balancer" OFF \	71	PROXY_BALANCER "Enable mod_proxy_balancer" OFF \
72	SSL "Enable mod_ssl" ON \	72	SSL "Enable mod_ssl" ON \
73	SUEXEC "Enable mod_suexec" OFF \	73	SUEXEC "Enable mod_suexec" OFF \
		74	SUEXEC_RSRCLIMIT "SuEXEC rlimits based on login class" OFF \
74	CGID "Enable mod_cgid" OFF \	75	CGID "Enable mod_cgid" OFF \
75		76




# http://www.chrishardie.com/tech/apache/suexec_rsrclimit.html
--- support/suexec.c.orig	Wed Jul 12 07:38:44 2006
+++ support/suexec.c		Wed Nov 15 23:58:04 2006
@@ -37,6 +37,7 @@
 #include <sys/param.h>
 #include <sys/stat.h>
 #include <sys/types.h>
+#include <login_cap.h>
 #include <string.h>
 #include <time.h>
 #if APR_HAVE_UNISTD_H
@@ -259,6 +260,7 @@
     char *cmd;              /* command to be executed    */
     char cwd[AP_MAXPATH];   /* current working directory */
     char dwd[AP_MAXPATH];   /* docroot working directory */
+    login_cap_t *lc;        /* user resource limits      */
     struct passwd *pw;      /* password entry holder     */
     struct group *gr;       /* group entry holder        */
     struct stat dir_info;   /* directory info holder     */
@@ -463,6 +465,18 @@
         log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
         exit(108);
     }
+
+    /*
+     * Apply user resource limits based on login class.
+     */
+    if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
+		log_err("failed to login_getclassbyname()\n");
+		exit(109);
+	}
+	if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
+		log_err("failed to setusercontext()\n");
+		exit(109);
+	}
 
     /*
      * Change UID/GID here so that the following tests work over NFS.
--- support/Makefile.in.orig	Thu Nov 16 02:20:47 2006
+++ support/Makefile.in	Thu Nov 16 02:11:29 2006
@@ -65,7 +65,7 @@
 
 suexec_OBJECTS = suexec.lo
 suexec: $(suexec_OBJECTS)
-	$(LINK) $(suexec_OBJECTS)
+	$(LINK) -lutil $(suexec_OBJECTS)
 
 htcacheclean_OBJECTS = htcacheclean.lo
 htcacheclean: $(htcacheclean_OBJECTS)

Return to bug 136091

Lines 126-132 Link Here

(-)apache22/Makefile (-1 / +9 lines)
126		126
127	.if defined(WITH_APR_FROM_PORTS)	127	.if defined(WITH_APR_FROM_PORTS)
128	PLIST_SUB+= APR_PORTS="@comment "	128	PLIST_SUB+= APR_PORTS="@comment "
129	APR_PORT?= devel/apr	129	APR_PORT?= devel/apr
130	LIB_DEPENDS+= apr-1:${PORTSDIR}/${APR_PORT}	130	LIB_DEPENDS+= apr-1:${PORTSDIR}/${APR_PORT}
131	CONFIGURE_ARGS+= --with-apr=${LOCALBASE}/bin/apr-1-config \	131	CONFIGURE_ARGS+= --with-apr=${LOCALBASE}/bin/apr-1-config \
132	--with-apr-util=${LOCALBASE}/bin/apu-1-config	132	--with-apr-util=${LOCALBASE}/bin/apu-1-config
Lines 169-174 Link Here
169	. endif	169	. endif
170	.endif	170	.endif
171		171
		172	.if defined(WITH_SUEXEC_RSRCLIMIT)
		173	EXTRA_PATCHES+= ${FILESDIR}/extra-patch-suexec_rsrclimit
		174	.if !defined(WITH_SUEXEC)
		175	IGNORE= suEXEC resource limit patch requires mod_suexec.\
		176	Please (re)run 'make config' and choose SUEXEC option also
		177	.endif
		178	.endif
		179
172	CONFIGURE_ARGS+= --with-mpm=${WITH_MPM:L}	180	CONFIGURE_ARGS+= --with-mpm=${WITH_MPM:L}
173		181
174	pre-everything::	182	pre-everything::

Line 0 Link Here

(-)apache22/files/extra-patch-suexec_rsrclimit (+49 lines)
	1	# http://www.chrishardie.com/tech/apache/suexec_rsrclimit.html
	2	--- support/suexec.c.orig Wed Jul 12 07:38:44 2006
	3	+++ support/suexec.c Wed Nov 15 23:58:04 2006
	4	@@ -37,6 +37,7 @@
	5	#include <sys/param.h>
	6	#include <sys/stat.h>
	7	#include <sys/types.h>
	8	+#include <login_cap.h>
	9	#include <string.h>
	10	#include <time.h>
	11	#if APR_HAVE_UNISTD_H
	12	@@ -259,6 +260,7 @@
	13	char cmd; / command to be executed */
	14	char cwd[AP_MAXPATH]; /* current working directory */
	15	char dwd[AP_MAXPATH]; /* docroot working directory */
	16	+ login_cap_t lc; / user resource limits */
	17	struct passwd pw; / password entry holder */
	18	struct group gr; / group entry holder */
	19	struct stat dir_info; /* directory info holder */
	20	@@ -463,6 +465,18 @@
	21	log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
	22	exit(108);
	23	}
	24	+
	25	+ /*
	26	+ * Apply user resource limits based on login class.
	27	+ */
	28	+ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
	29	+ log_err("failed to login_getclassbyname()\n");
	30	+ exit(109);
	31	+ }
	32	+ if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
	33	+ log_err("failed to setusercontext()\n");
	34	+ exit(109);
	35	+ }
	36
	37	/*
	38	* Change UID/GID here so that the following tests work over NFS.
	39	--- support/Makefile.in.orig Thu Nov 16 02:20:47 2006
	40	+++ support/Makefile.in Thu Nov 16 02:11:29 2006
	41	@@ -65,7 +65,7 @@
	42
	43	suexec_OBJECTS = suexec.lo
	44	suexec: $(suexec_OBJECTS)
	45	- $(LINK) $(suexec_OBJECTS)
	46	+ $(LINK) -lutil $(suexec_OBJECTS)
	47
	48	htcacheclean_OBJECTS = htcacheclean.lo
	49	htcacheclean: $(htcacheclean_OBJECTS)