1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
diff -ur apache_1.3.27/src/support/Makefile.tmpl apache_1.3.27.old/src/support/Makefile.tmpl~
--- apache_1.3.27/src/support/Makefile.tmpl Sat Mar 2 20:46:23 2002
+++ apache_1.3.27.old/src/support/Makefile.tmpl Mon Nov 4 14:33:14 2002
@@ -49,6 +49,8 @@
-e 's%@LDFLAGS_MOD_SHLIB@%$(LDFLAGS_MOD_SHLIB)%g' \
-e 's%@LIBS_SHLIB@%$(LIBS_SHLIB)%g' && chmod a+x apxs
+suexec: CFLAGS += -DSUEXEC_PAM_SESSION
+suexec: LIBS += -lpam
suexec: suexec.o
$(CC) $(CFLAGS) -o suexec $(LDFLAGS) suexec.o $(LIBS)
diff -ur apache_1.3.27/src/support/suexec.c apache_1.3.27.old/src/support/suexec.c
--- apache_1.3.27/src/support/suexec.c Mon Nov 4 14:30:16 2002
+++ apache_1.3.27.old/src/support/suexec.c Mon Nov 4 14:35:45 2002
@@ -92,6 +92,10 @@
#include <stdarg.h>
#include <strings.h>
+#ifdef SUEXEC_PAM_SESSION
+#include <security/pam_appl.h>
+#endif
+
#include "suexec.h"
/*
@@ -848,6 +852,43 @@
#endif /* SUEXEC_UMASK */
clean_env();
+#ifdef SUEXEC_PAM_SESSION
+ /*
+ * Use PAM session support. Initial goal was to use the pam_limits module.
+ */
+
+#ifndef PAM_SERVICE_NAME
+#define PAM_SERVICE_NAME "suexec"
+#endif /* PAM_SERVICE_NAME */
+
+#define PAM_CALL(call, name, err_code, do_end) \
+ do \
+ { \
+ rc = (call); \
+ if (rc != PAM_SUCCESS) \
+ { \
+ log_err("error: %s(): [%d] %s\n", (name), rc, pam_strerror(pamh, rc)); \
+ (do_end) && pam_end(pamh, rc); \
+ exit(err_code); \
+ } \
+ } while (0)
+
+ {
+ int rc;
+ pam_handle_t *pamh = NULL;
+ struct pam_conv pamc = { NULL, NULL };
+
+ PAM_CALL(pam_start(PAM_SERVICE_NAME, actual_uname, &pamc, &pamh),
+ "pam_start", 241, 0);
+ PAM_CALL(pam_open_session(pamh, 0), "pam_open_session", 242, 1);
+ PAM_CALL(pam_close_session(pamh, 0), "pam_close_session", 243, 1);
+ PAM_CALL(pam_end(pamh, 0), "pam_end", 244, 0);
+ }
+
+#undef PAM_CALL
+#undef PAM_SERVICE_NAME
+#endif /* SUEXEC_PAM_SESSION */
+
/*
* Be sure to close the log file so the CGI can't
* mess with it. If the exec fails, it will be reopened
|
GitWeb
