[Apache] Ограничение в suexec ресурсов CGI-скриптов через "FreeBSD login class" (patch apache limit)
Ключевые слова: patch, apache, limit, (найти похожие документы)
Date: Wed, 27 Dec 2000 13:45:08 +0900 (YAKT)
From: Chris Hardie <chris@summersault.com>
Subject: [Apache] Ограничение в suexec ресурсов CGI-скриптов через "FreeBSD login class"
# See http://www.summersault.com/chris/techno/apache/suexec_rsrclimit.html
--- Makefile.tmpl.orig Fri Feb 8 14:52:57 2002
+++ Makefile.tmpl Fri Feb 8 12:59:49 2002
@@ -47,7 +47,7 @@
-e 's%@LIBS_SHLIB@%$(LIBS_SHLIB)%g' && chmod a+x apxs
suexec: suexec.o
- $(CC) $(CFLAGS) -o suexec $(LDFLAGS) suexec.o $(LIBS)
+ $(CC) $(CFLAGS) -lutil -o suexec $(LDFLAGS) suexec.o $(LIBS)
clean:
rm -f $(TARGETS) *.o
--- suexec.c.orig Fri Feb 8 12:57:24 2002
+++ suexec.c Fri Feb 8 12:58:32 2002
@@ -88,6 +88,7 @@
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/types.h>
+#include <login_cap.h>
#include <stdarg.h>
@@ -269,6 +270,7 @@
char *cmd; /* command to be executed */
char cwd[AP_MAXPATH]; /* current working directory */
char dwd[AP_MAXPATH]; /* docroot working directory */
+ login_cap_t *lc; /* user resource limits */
struct passwd *pw; /* password entry holder */
struct group *gr; /* group entry holder */
struct stat dir_info; /* directory info holder */
@@ -463,6 +465,19 @@
if ((gid == 0) || (gid < GID_MIN)) {
log_err("crit: cannot run as forbidden gid (%d/%s)\n", gid, cmd);
exit(108);
+ }
+
+ /*
+ * Apply user resource limits based on login class.
+ */
+ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
+ log_err("failed to login_getclassbyname()\n");
+ exit(109);
+ }
+
+ if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
+ log_err("failed to setusercontext()\n");
+ exit(109);
}
/*