httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Solar Designer <so...@false.com>
Subject rlimits support for suexec
Date Tue, 13 Jan 1998 04:19:08 GMT
Hello,

Here's a patch for suexec I did a while ago (tested in Linux only), to set
resource limits for CGIs. Otherwise the users could crash the entire httpd...

--- orig/suexec.h	Sat Dec 20 05:06:26 1997
+++ suexec.h	Sat Dec 20 05:03:26 1997
@@ -134,4 +134,15 @@
 #define SAFE_PATH "/usr/local/bin:/usr/bin:/bin"
 #endif
 
+/*
+ * SUEXEC_RLIMIT_* -- Resource limits.
+ */
+#ifndef SUEXEC_RLIMIT_NPROC
+#define SUEXEC_RLIMIT_NPROC 8
+#endif
+
+#ifndef SUEXEC_RLIMIT_DATA
+#define SUEXEC_RLIMIT_DATA (16 * 1024 * 1024)
+#endif
+
 #endif  /* _SUEXEC_H */
--- orig/suexec.c	Sat Dec 20 05:06:25 1997
+++ suexec.c	Sat Dec 20 05:03:24 1997
@@ -80,6 +80,8 @@
 #include <grp.h>
 #include <time.h>
 #include <sys/stat.h>
+#include <sys/resource.h>
+#include <errno.h>
 
 #if defined(PATH_MAX)
 #define AP_MAXPATH PATH_MAX
@@ -209,6 +211,26 @@
     environ = cleanenv;
 }
 
+void set_one_limit(int resource, int limit)
+{
+    struct rlimit rl;
+
+    if (!getrlimit(resource, &rl))
+    if (limit > rl.rlim_max) return;
+
+    rl.rlim_max = rl.rlim_cur = limit;
+    if (setrlimit(resource, &rl)) {
+	log_err("cannot set resource limits: %s\n", strerror(errno));
+	exit(121);
+    }
+}
+
+void set_limits()
+{
+    set_one_limit(RLIMIT_NPROC, SUEXEC_RLIMIT_NPROC);
+    set_one_limit(RLIMIT_DATA, SUEXEC_RLIMIT_DATA);
+}
+
 int main(int argc, char *argv[])
 {
     int userdir = 0;        /* ~userdir flag             */
@@ -460,6 +482,11 @@
 		 prg_info.st_uid, prg_info.st_gid);
 	exit(120);
     }
+
+    /*
+     * Set the resource limits.
+     */
+    set_limits();
 
     clean_env();

Signed,
Solar Designer

Mime
View raw message