3 files changed, 58 insertions, 0 deletions

diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index 516be1a5d8b8..50c4af76205c 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -67,6 +67,14 @@ OPTIONS=	\
 .include "${APACHEDIR}/Makefile.options"
 .endif
 
+.if defined(WITH_SUEXEC_RSRCLIMIT)
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-suexec_rsrclimit
+.if !defined(WITH_SUEXEC)
+IGNORE=         suEXEC resource limit patch requires mod_suexec.\
+		Please (re)run 'make config' and choose SUEXEC option also
+.endif
+.endif
+
 CONFIGURE_ARGS=	--prefix=${PREFIX_RELDEST} \
 		--enable-layout=FreeBSD \
 		--with-perl=${PERL5} \
diff --git a/www/apache22/Makefile.options b/www/apache22/Makefile.options
index 3751c64316f1..3c88396d7e67 100644
--- a/www/apache22/Makefile.options
+++ b/www/apache22/Makefile.options
@@ -72,5 +72,6 @@ OPTIONS+= \
 	 PROXY_SCGI "Enable mod_proxy_scgi" OFF \
 	 SSL "Enable mod_ssl" ON \
 	 SUEXEC "Enable mod_suexec" OFF \
+     SUEXEC_RSRCLIMIT "SuEXEC rlimits based on login class" OFF \
 	 CGID "Enable mod_cgid" OFF \
 
diff --git a/www/apache22/files/patch-suexec_rsrclimit b/www/apache22/files/patch-suexec_rsrclimit
new file mode 100644
index 000000000000..df41fe7f4962
--- /dev/null
+++ b/www/apache22/files/patch-suexec_rsrclimit
@@ -0,0 +1,49 @@
+# http://www.chrishardie.com/tech/apache/suexec_rsrclimit.html
+--- support/suexec.c.orig	Wed Jul 12 07:38:44 2006
++++ support/suexec.c		Wed Nov 15 23:58:04 2006
+@@ -37,6 +37,7 @@
+ #include <sys/param.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
++#include <login_cap.h>
+ #include <string.h>
+ #include <time.h>
+ #if APR_HAVE_UNISTD_H
+@@ -259,6 +260,7 @@
+     char *cmd;              /* command to be executed    */
+     char cwd[AP_MAXPATH];   /* current working directory */
+     char dwd[AP_MAXPATH];   /* docroot working directory */
++    login_cap_t *lc;        /* user resource limits      */
+     struct passwd *pw;      /* password entry holder     */
+     struct group *gr;       /* group entry holder        */
+     struct stat dir_info;   /* directory info holder     */
+@@ -463,6 +465,18 @@
+         log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
+         exit(108);
+     }
++
++    /*
++     * Apply user resource limits based on login class.
++     */
++    if ((lc = login_getclassbyname(pw->pw_class, pw)) == NULL) {
++		log_err("failed to login_getclassbyname()\n");
++		exit(109);
++	}
++	if ((setusercontext(lc, pw, uid, LOGIN_SETRESOURCES)) != 0) {
++		log_err("failed to setusercontext()\n");
++		exit(109);
++	}
+ 
+     /*
+      * Change UID/GID here so that the following tests work over NFS.
+--- support/Makefile.in.orig	Thu Nov 16 02:20:47 2006
++++ support/Makefile.in	Thu Nov 16 02:11:29 2006
+@@ -65,7 +65,7 @@
+ 
+ suexec_OBJECTS = suexec.lo
+ suexec: $(suexec_OBJECTS)
+-	$(LINK) $(suexec_OBJECTS)
++	$(LINK) -lutil $(suexec_OBJECTS)
+ 
+ htcacheclean_OBJECTS = htcacheclean.lo
+ htcacheclean: $(htcacheclean_OBJECTS)