By default suexec doesn't enforces different resource limitations configured in login.conf(5). This is probably because resource limitations are handled differently on various different platforms. The attached patch modifies suexec behaviour to set resource limits for CGI's from /etc/login.conf before execing the customers CGI script. This functionality already been implemented in www/apache13 with patch-ak, patch-ba, and patch-bb.
Responsible Changed From-To: freebsd-ports-bugs->apache Over to maintainer (via the GNATS Auto Assign Tool)
Should be an optional patch, please consider adding a make config option.
> Should be an optional patch, please consider adding a make config option. Ok, I have attached diff with this patch enabled via config option (default is off). + minor code cleanup for Makefile: [129]: whitespace before end of line. -- Alexey V. Degtyarev
Responsible Changed From-To: apache->pgollucci I'll take it.
> Thank you very much for your problem report. > It has the internal identification `ports/136091'. > The individual assigned to look at your > report is: freebsd-ports-bugs. > > You can access the state of your problem report at any time > via this link: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=136091 > > >Category: ports > >Responsible: freebsd-ports-bugs > >Synopsis: [PATCH] www/apache22 - suexec resource limits patch > >Arrival-Date: Sat Jun 27 14:40:01 UTC 2009 Are there any chances to see this patch in the next ports tree freeze? Actually this patch has been tested for a long time on a havy load production virtual hosting servers. -- Alexey V. Degtyarev
State Changed From-To: open->analyzed this needs to go upstrream to dev@httpd.a.o, I'll follow up there
State Changed From-To: analyzed->open Maintainer approved.
Responsible Changed From-To: pgollucci->apache Over to maintainer.
State Changed From-To: open->closed Committed. Thanks!
pgollucci 2010-05-14 05:03:30 UTC FreeBSD ports repository Modified files: www/apache22 Makefile Makefile.options Added files: www/apache22/files patch-suexec_rsrclimit Log: By default suexec doesn't enforces different resource limitations configured in login.conf(5). This is probably because resource limitations are handled differently on various different platforms. This modifies suexec behaviour to set resource limits for CGI's from /etc/login.conf before execing the customers CGI script. Doesn't affect default package, so no PORTREVISION bumps. I will follow up at dev@httpd.apache.org to see about adding this with #ifdefs. PR: ports/136091 Submitted by: Alexey V.Degtyarev <alexey@renatasystems.org> With Hat: apache@ Revision Changes Path 1.268 +8 -0 ports/www/apache22/Makefile 1.5 +1 -0 ports/www/apache22/Makefile.options 1.1 +49 -0 ports/www/apache22/files/patch-suexec_rsrclimit (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Maybe this patch should be a bit more overreaching.=20 It's just applying the rlimits from login.conf, but it would be more = useful if it supported other important login.conf attributes such as the MAC labels.=20 Any thoughts? I would change the LOGIN_RLIMITS to LOGIN_ALL, on FreeBSD a proper = switch to a different user should be expected to honor whatever is put on login.conf. Any potential side-effects I am not aware of? Borja.