Russian Apache Switch to English
Switch to Russian koi8-r
windows=1251
cp-866
iso8859-5
Russian Apache Как это работает Рекоммендации Где взять Как установить Как настроить Статус и поддержка
Краткий обзор FAQ Список рассылки Благодарности Поиск по серверу Powered by Russian Apache
Russian Apache mailing list archive (apache-rus@lists.lexa.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[apache-talk] suexec patch for setting rlimits and allow root-owned scripts



Приветствую, коллеги. Мы вот тут заимплементили странного, а именно
фиксацию лимитов для суэкзеченных скриптов (плюс добывание класса
пользователя, или взятие его их группы, если у него нет explicit класса)

Кроме того, после тяжкого раздумья была-таки сделана модификация,
позволяющая пускать скрипты, принадлежащие руту (благо проверка на
правильные права все равно делается)

Все крайне непортабельно, у нас работает под FreeBSD 3.x и 4.x :) Портинг
категорически приветствуется. Если вы что-нибудь с этим сделаете, напишите
об этом мне и Олегу (стоит в CC:)

Конструктивная ругань тоже приветствуется, разумеется ;)

Sincerely,
D.Marck                                   [DM5020, DM268-RIPE, DM3-RIPN]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@xxxxxxxx ***
------------------------------------------------------------------------


--- suexec.c.ru	Wed Nov  8 22:45:34 2000
+++ suexec.c.new	Wed Nov  8 22:47:50 2000
@@ -68,6 +68,12 @@
  *
  ***********************************************************************
  *
+ * Minor modifications for setting rlimits and allow root-owned scripts
+ * to be executed have been done by Oleg Bulyzhin <oleg@xxxxxxxx> and
+ * Dmitry Morozovsky <marck@xxxxxxxx>
+ *
+ ***********************************************************************
+ *
  *
  * Error messages in the suexec logfile are prefixed with severity values
  * similar to those used by the main server:
@@ -88,6 +94,13 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 
+/* +OB: we need it later */
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <login_cap.h>
+#include <grp.h>
+/* -OB */
+
 #include <stdarg.h>
 
 #include "suexec.h"
@@ -279,6 +292,32 @@
     struct stat dir_info;	/* directory info holder     */
     struct stat prg_info;	/* program info holder       */
 
+    /* +OB: we need it later	     			     */
+    login_cap_t		*lc = NULL;
+    char		capnam[128];
+    rlim_t		capval;
+    struct rlimit	limit[RLIM_NLIMITS];		
+    int			i, rc;
+    struct {
+	const char	*cap;
+	rlim_t		(*func)(login_cap_t *, const char *, rlim_t, rlim_t);
+    } resources[] = {
+	{ "cputime",        login_getcaptime },
+	{ "filesize",       login_getcapsize },
+	{ "datasize",       login_getcapsize },
+	{ "stacksize",      login_getcapsize },
+	{ "coredumpsize",   login_getcapsize },
+	{ "memoryuse",      login_getcapsize },
+	{ "memorylocked",   login_getcapsize },
+	{ "maxproc",        login_getcapnum },
+	{ "openfiles",      login_getcapnum },
+	/* DM: we need it since 4.x, also make finish entry */
+/*	{ "sbsize",         login_getcapnum }, */
+	{ NULL,		NULL }
+    };
+
+    /* -OB */
+
     /*
      * If there are a proper number of arguments, set
      * all of them to variables.  Otherwise, error out.
@@ -404,14 +443,48 @@
     actual_uname = strdup(pw->pw_name);
     target_homedir = strdup(pw->pw_dir);
 
+    /* +OB: get login class name */
+    if ((lc = login_getpwclass(pw)) == NULL) {
+	log_err("emerg: cant get login class (%ld: %s)\n", uid, cmd);
+	exit(127);
+    }
+
+				/* if user has no class in passwd entry
+				 * trying to get "group"  class - class
+				 * with name identical to group name
+				 */
+    if (strncmp(lc->lc_class, "default", 7) == 0) {
+    	if ((gr = getgrgid(pw->pw_gid)) == NULL) {	/* getting group */
+	    log_err("emerg: getgrgid failed (%ld: %s)\n", uid, cmd);
+	    exit(127);
+    	}
+				/* looking for class for this group */
+        if ((lc = login_getclass(gr->gr_name)) == NULL) {
+	    log_err("emerg: cant get login class (%ld: %s)\n", uid, cmd);
+	    exit(127);
+        }
+    }
+    /* -OB */
+
     /*
      * Log the transaction here to be sure we have an open log 
      * before we setuid().
      */
+
+    /* +OB */
+    /* Original log_err call 
     log_err("info: (target/actual) uid: (%s/%s) gid: (%s/%s) cmd: %s\n",
 	    target_uname, actual_uname,
 	    target_gname, actual_gname,
 	    cmd);
+    */
+    /* My log_err call */
+    log_err("info: (target/actual) class: (%s) uid: (%s/%s) gid: (%s/%s) cmd: %s\n",
+	    lc->lc_class,
+	    target_uname, actual_uname,
+	    target_gname, actual_gname,
+	    cmd);
+    /* -OB */
 
     /*
      * Error out if attempt is made to execute as root or as
@@ -443,6 +516,44 @@
     }
 
     /*
+     * +OB:
+     * set up limits 
+     *
+     */
+    for (rc = 0, i = 0; i < RLIM_NLIMITS; i++) { /* init with current values */
+	if (getrlimit(i, &limit[i]) == -1) {
+	    rc = 1;
+	    log_err("emerg: getrlimit i = %u  (%ld: %s)\n", i, uid, cmd);
+	}
+    }
+    if (rc) exit(127);
+
+    for (i = 0; i < RLIM_NLIMITS && resources[i].cap; i++) {
+
+	sprintf(capnam, "%s-cur", resources[i].cap);
+	capval = resources[i].func(lc, resources[i].cap, limit[i].rlim_cur,
+				       limit[i].rlim_cur);
+	limit[i].rlim_cur = resources[i].func(lc, capnam, capval, capval);
+
+	sprintf(capnam, "%s-max", resources[i].cap);
+	capval = resources[i].func(lc, resources[i].cap, limit[i].rlim_max,
+				       limit[i].rlim_max);
+	limit[i].rlim_max = resources[i].func(lc, capnam, capval, capval);
+
+    }
+
+    for (rc = 0, i = 0; i < RLIM_NLIMITS && resources[i].cap; i++) { /* set up calculated limits */
+	if (setrlimit(i, &limit[i]) == -1) {
+	    rc = 1;
+	    log_err("emerg: setrlimit i = %u  (%ld: %s)\n", i, uid, cmd);
+	}
+    }
+    if (rc) exit(127);
+
+    login_close(lc);
+    /* -OB */
+
+    /*
      * setuid() to the target user.  Error out on fail.
      */
     if ((setuid(uid)) != 0) {
@@ -450,6 +561,7 @@
 	exit(110);
     }
 
+
     /*
      * Get the current working directory, as well as the proper
      * document root (dependant upon whether or not it is a
@@ -531,9 +643,12 @@
      * Error out if the target name/group is different from
      * the name/group of the cwd or the program.
      */
+	/* +DM: allow also well-formed root-owned scripts to run
+		(for hardlinked common scripts)
+	*/
     if ((uid != dir_info.st_uid) ||
 	(gid != dir_info.st_gid) ||
-	(uid != prg_info.st_uid) ||
+	(uid != prg_info.st_uid && prg_info.st_uid != 0) ||
 	(gid != prg_info.st_gid)) {
 	log_err("error: target uid/gid (%ld/%ld) mismatch "
 		"with directory (%ld/%ld) or program (%ld/%ld)\n",
@@ -542,6 +657,9 @@
 		prg_info.st_uid, prg_info.st_gid);
 	exit(120);
     }
+    if (prg_info.st_uid == 0)
+	log_err("notice: [%u] running script is root-owned (%s/%s)\n", 
+		getpid(), cwd, cmd);
     /*
      * Error out if the program is not executable for the user.
      * Otherwise, she won't find any error in the logs except for

=============================================================================
=               Apache-Talk@xxxxxxxxxxxxx mailing list                      =
Mail "unsubscribe apache-talk" to majordomo@xxxxxxxxxxxxx if you want to quit.
=       Archive avaliable at http://www.lexa.ru/apache-talk                 =






Спонсоры сайта:

[ Russian Apache ] [ Как это работает ] [ Рекомендации ] [ Где взять ] [ Как установить ] [ Как настроить ] [ Статус и поддержка ] [ Краткий обзор ] [ FAQ ] [ Список рассылки ] [ Благодарности ] [ Поиск по серверу ] [ Powered by Russian Apache ] [ Apache-talk archive ]

"Russian Apache" includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/) See Apache LICENSE.
Copyright (C) 1995-2001 The Apache Group. All rights reserved.
Copyright (C) 1996 Dm. Kryukov; Copyright (C) 1997-2009 Alex Tutubalin. Design (C) 1998 Max Smolev.