httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@covalent.net>
Subject Re: rlimits support for suexec
Date Tue, 13 Jan 1998 03:40:42 GMT
Won't the rlimits set by Apache be passed to suexec'd CGI?

On Tue, Jan 13, 1998 at 01:19:08AM -0300, Solar Designer wrote:
> Hello,
> 
> Here's a patch for suexec I did a while ago (tested in Linux only), to set
> resource limits for CGIs. Otherwise the users could crash the entire httpd...
> 
> --- orig/suexec.h	Sat Dec 20 05:06:26 1997
> +++ suexec.h	Sat Dec 20 05:03:26 1997
> @@ -134,4 +134,15 @@
>  #define SAFE_PATH "/usr/local/bin:/usr/bin:/bin"
>  #endif
>  
> +/*
> + * SUEXEC_RLIMIT_* -- Resource limits.
> + */
> +#ifndef SUEXEC_RLIMIT_NPROC
> +#define SUEXEC_RLIMIT_NPROC 8
> +#endif
> +
> +#ifndef SUEXEC_RLIMIT_DATA
> +#define SUEXEC_RLIMIT_DATA (16 * 1024 * 1024)
> +#endif
> +
>  #endif  /* _SUEXEC_H */
> --- orig/suexec.c	Sat Dec 20 05:06:25 1997
> +++ suexec.c	Sat Dec 20 05:03:24 1997
> @@ -80,6 +80,8 @@
>  #include <grp.h>
>  #include <time.h>
>  #include <sys/stat.h>
> +#include <sys/resource.h>
> +#include <errno.h>
>  
>  #if defined(PATH_MAX)
>  #define AP_MAXPATH PATH_MAX
> @@ -209,6 +211,26 @@
>      environ = cleanenv;
>  }
>  
> +void set_one_limit(int resource, int limit)
> +{
> +    struct rlimit rl;
> +
> +    if (!getrlimit(resource, &rl))
> +    if (limit > rl.rlim_max) return;
> +
> +    rl.rlim_max = rl.rlim_cur = limit;
> +    if (setrlimit(resource, &rl)) {
> +	log_err("cannot set resource limits: %s\n", strerror(errno));
> +	exit(121);
> +    }
> +}
> +
> +void set_limits()
> +{
> +    set_one_limit(RLIMIT_NPROC, SUEXEC_RLIMIT_NPROC);
> +    set_one_limit(RLIMIT_DATA, SUEXEC_RLIMIT_DATA);
> +}
> +
>  int main(int argc, char *argv[])
>  {
>      int userdir = 0;        /* ~userdir flag             */
> @@ -460,6 +482,11 @@
>  		 prg_info.st_uid, prg_info.st_gid);
>  	exit(120);
>      }
> +
> +    /*
> +     * Set the resource limits.
> +     */
> +    set_limits();
>  
>      clean_env();
> 
> Signed,
> Solar Designer

Mime
View raw message