Bug 136091 - [PATCH] www/apache22 - suexec resource limits patch
[PATCH] www/apache22 - suexec resource limits patch
Status: Closed FIXED
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s)
Latest
Any Any
: Normal Affects Only Me
Assigned To: apache
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-27 15:40 UTC by alexey
Modified: 2013-06-17 11:50 UTC (History)
0 users

See Also:


Attachments
apache22.patch (2.26 KB, patch)
2009-06-27 15:40 UTC, alexey
no flags Details | Diff
apache22.patch (3.18 KB, patch)
2009-07-07 19:03 UTC, alexey
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description alexey 2009-06-27 15:40:01 UTC
By default suexec doesn't enforces different resource limitations configured in
login.conf(5).  This is probably because resource limitations are handled
differently on various different platforms.

The attached patch modifies suexec behaviour to set resource limits for CGI's
from /etc/login.conf before execing the customers CGI script.

This functionality already been implemented in www/apache13 with patch-ak,
patch-ba, and patch-bb.
Comment 1 Edwin Groothuis freebsd_committer 2009-06-27 15:40:11 UTC
Responsible Changed
From-To: freebsd-ports-bugs->apache

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dereckson 2009-07-07 05:26:43 UTC
Should be an optional patch, please consider adding a make config option.
Comment 3 alexey 2009-07-07 19:03:36 UTC
> Should be an optional patch, please consider adding a make config option.

Ok, I have attached diff with this patch enabled via config option
(default is off).

+ minor code cleanup for Makefile: [129]: whitespace before end of line.

-- 
Alexey V. Degtyarev
Comment 4 Philip M. Gollucci freebsd_committer 2009-07-08 04:16:03 UTC
Responsible Changed
From-To: apache->pgollucci

I'll take it.
Comment 5 alexey 2009-09-08 22:55:32 UTC
> Thank you very much for your problem report.
> It has the internal identification `ports/136091'.
> The individual assigned to look at your
> report is: freebsd-ports-bugs. 
> 
> You can access the state of your problem report at any time
> via this link:
> 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=136091
> 
> >Category:       ports
> >Responsible:    freebsd-ports-bugs
> >Synopsis:       [PATCH] www/apache22 - suexec resource limits patch
> >Arrival-Date:   Sat Jun 27 14:40:01 UTC 2009

Are there any chances to see this patch in the next ports tree freeze?
Actually this patch has been tested for a long time on a havy load
production virtual hosting servers.

-- 
Alexey V. Degtyarev
Comment 6 Philip M. Gollucci freebsd_committer 2009-12-11 23:58:09 UTC
State Changed
From-To: open->analyzed

this needs to go upstrream to dev@httpd.a.o, I'll follow up there
Comment 7 Philip M. Gollucci freebsd_committer 2009-12-15 19:40:46 UTC
State Changed
From-To: analyzed->open

Maintainer approved.
Comment 8 Philip M. Gollucci freebsd_committer 2010-04-29 19:39:12 UTC
Responsible Changed
From-To: pgollucci->apache

Over to maintainer.
Comment 9 Philip M. Gollucci freebsd_committer 2010-05-14 06:03:37 UTC
State Changed
From-To: open->closed

Committed. Thanks!
Comment 10 dfilter freebsd_committer 2010-05-14 06:05:28 UTC
pgollucci    2010-05-14 05:03:30 UTC

  FreeBSD ports repository

  Modified files:
    www/apache22         Makefile Makefile.options 
  Added files:
    www/apache22/files   patch-suexec_rsrclimit 
  Log:
  By default suexec doesn't enforces different resource limitations configured in
  login.conf(5). This is probably because resource limitations are handled
  differently on various different platforms.
  
  This modifies suexec behaviour to set resource limits for CGI's
  from /etc/login.conf before execing the customers CGI script.
  
  Doesn't affect default package, so no PORTREVISION bumps.
  
  I will follow up at dev@httpd.apache.org to see about adding this
  with #ifdefs.
  
  PR:             ports/136091
  Submitted by:   Alexey V.Degtyarev <alexey@renatasystems.org>
  With Hat:       apache@
  
  Revision  Changes    Path
  1.268     +8 -0      ports/www/apache22/Makefile
  1.5       +1 -0      ports/www/apache22/Makefile.options
  1.1       +49 -0     ports/www/apache22/files/patch-suexec_rsrclimit (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 11 borjam 2013-06-17 11:38:55 UTC
Maybe this patch should be a bit more overreaching.=20

It's just applying the rlimits from login.conf,  but it would be more =
useful if it supported other important login.conf
attributes such as the MAC labels.=20

Any thoughts?

I would change the LOGIN_RLIMITS to LOGIN_ALL, on FreeBSD a proper =
switch to a different user should be
expected to honor whatever is put on login.conf.

Any potential side-effects I am not aware of?





Borja.