Apache-Talk mailing list archive (apache-talk@lists.lexa.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[apache-talk] suexec patch: rlimits, php
Оцените, пожалуйста, вот этот патч для suexec, на предмет
безопасности. Сделан на основе:
--- src/support/Makefile.tmpl.orig Sat Mar 2 20:46:23 2002
+++ src/support/Makefile.tmpl Wed Sep 25 14:27:41 2002
@@ -50,7 +50,7 @@
-e 's%@LIBS_SHLIB@%$(LIBS_SHLIB)%g' && chmod a+x apxs
suexec: suexec.o
- $(CC) $(CFLAGS) -o suexec $(LDFLAGS) suexec.o $(LIBS)
+ $(CC) $(CFLAGS) -o suexec -lutil $(LDFLAGS) suexec.o $(LIBS)
clean:
rm -f $(TARGETS) *.o
--- src/support/suexec.c.orig Thu Mar 14 00:05:37 2002
+++ src/support/suexec.c Wed Oct 2 17:48:32 2002
@@ -88,6 +88,7 @@
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/types.h>
+#include <login_cap.h>
#include <stdarg.h>
@@ -263,10 +264,12 @@
char *cmd; /* command to be executed */
char cwd[AP_MAXPATH]; /* current working directory */
char dwd[AP_MAXPATH]; /* docroot working directory */
+ login_cap_t *lc; /* user resource limits */
struct passwd *pw; /* password entry holder */
struct group *gr; /* group entry holder */
struct stat dir_info; /* directory info holder */
struct stat prg_info; /* program info holder */
+ char *x_suexec_interp;
prog = argv[0];
/*
@@ -460,6 +463,20 @@
}
/*
+ * Apply user resource limits based on login class.
+ */
+ if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
+ log_err("failed to login_getclassbyname(): %s\n", strerror(errno));
+ exit(109);
+ }
+
+ if (setusercontext(lc, pw, uid,
+ LOGIN_SETRESOURCES|LOGIN_SETPRIORITY) != 0) {
+ log_err("failed to setusercontext(): %s\n", strerror(errno));
+ exit(109);
+ }
+
+ /*
* Change UID/GID here so that the following tests work over NFS.
*
* Initialize the group access list for the target user,
@@ -575,7 +592,8 @@
* Otherwise, she won't find any error in the logs except for
* "[error] Premature end of script headers: ..."
*/
- if (!(prg_info.st_mode & S_IXUSR)) {
+ x_suexec_interp = getenv("X-SUExec-Interp");
+ if (!(prg_info.st_mode & S_IXUSR) && x_suexec_interp == NULL) {
log_err("error: file has no execute permission: (%s/%s)\n", cwd, cmd);
exit(121);
}
@@ -617,7 +635,10 @@
ap_execve(cmd, &argv[3], environ);
}
#else /*NEED_HASHBANG_EMUL*/
- execv(cmd, &argv[3]);
+ if (x_suexec_interp == NULL)
+ execv(cmd, &argv[3]);
+ else if (strcmp(x_suexec_interp, "PHP") == 0)
+ execl("/usr/local/bin/php", "php", cmd, NULL);
#endif /*NEED_HASHBANG_EMUL*/
/*
--
DSS5-RIPE DSS-RIPN 2:550/5068@fidonet 2:550/5069@fidonet
mailto:dsh@vlink.ru
=============================================================================
= Apache-Talk@lists.lexa.ru mailing list =
Mail "unsubscribe apache-talk" to majordomo@lists.lexa.ru if you want to quit.
= Archive avaliable at =
|
