diff -rupN httpd-2.2.17/Makefile.in httpd-2.2.17.new/Makefile.in --- httpd-2.2.17/Makefile.in 2008-11-25 15:24:49.000000000 -0500 +++ httpd-2.2.17.new/Makefile.in 2010-11-18 15:33:51.000000000 -0500 @@ -4,7 +4,7 @@ CLEAN_SUBDIRS = test PROGRAM_NAME = $(progname) PROGRAM_SOURCES = modules.c -PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) +PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) -llve PROGRAM_PRELINK = $(COMPILE) -c $(top_srcdir)/server/buildmark.c PROGRAM_DEPENDENCIES = \ server/libmain.la \ diff -rupN httpd-2.2.17/server/mpm/experimental/itk/itk.c httpd-2.2.17.new/server/mpm/experimental/itk/itk.c --- httpd-2.2.17/server/mpm/experimental/itk/itk.c 2010-11-18 15:33:13.000000000 -0500 +++ httpd-2.2.17.new/server/mpm/experimental/itk/itk.c 2010-11-18 15:36:56.000000000 -0500 @@ -77,6 +77,9 @@ #include #include +#include +#include + /* Limit on the total --- clients will be locked out if more servers than * this are needed. It is intended solely to keep the server from crashing @@ -1421,6 +1424,9 @@ static int itk_post_perdir_config(reques gid_t wanted_gid; const char *wanted_username; int err = 0; + struct passwd *pw = NULL; + char error_str[1024]=""; + itk_server_conf *sconf = (itk_server_conf *) ap_get_module_config(r->server->module_config, &mpm_itk_module); @@ -1465,7 +1471,14 @@ static int itk_post_perdir_config(reques } if (!err && wanted_uid != -1 && wanted_gid != -1 && (getuid() != wanted_uid || getgid() != wanted_gid)) { - if (setgid(wanted_gid)) { + pw = getpwuid(wanted_uid); + if (!pw) { + _DBG("getpwuid(%d): %s", wanted_uid, strerror(errno)); + err = 1; + } else if (jail(pw, error_str) < 0) { + _DBG("jail(%d): %s", wanted_uid, error_str); + err = 1; + } else if (setgid(wanted_gid)) { _DBG("setgid(%d): %s", wanted_gid, strerror(errno)); err = 1; } else if (initgroups(wanted_username, wanted_gid)) {