Hello. Upstream seems to be inactive for this bugreport.
Could you, please, consider the possibility to include the attached patch at least in apache2-suexec-custom package? It works well for me (search over old BTS does not give me any concrete troubles with the patch) and can be easy adopted to be disabled in runtime by default (via conffile).
#! /bin/sh /usr/share/dpatch/dpatch-run ## 203_suexec-pam.dpatch ## ## DP: http://www.opennet.ru/base/patch/suexec_pam.txt.html @DPATCH@ diff -urNad apache2-2.2.9~/support/suexec.c apache2-2.2.9/support/suexec.c --- apache2-2.2.9~/support/suexec.c 2009-09-08 04:53:58.000000000 +0400 +++ apache2-2.2.9/support/suexec.c 2009-09-08 04:59:00.000000000 +0400 @@ -32,6 +32,11 @@ #include "apr.h" #include "ap_config.h" + +#ifdef SUEXEC_PAM_SESSION +#include <security/pam_appl.h> +#endif /* SUEXEC_PAM_SESSION */ + #include "suexec.h" #include <sys/param.h> @@ -469,6 +474,40 @@ exit(108); } +#ifdef SUEXEC_PAM_SESSION + /* + * Use PAM session support (to use pam_limits module). + */ + +#define PAM_CALL(call, name, err_code, do_end) \ + do { \ + rc = (call); \ + if (rc != PAM_SUCCESS) { \ + log_err("error: %s(): [%d] %s\n", (name), \ + rc, pam_strerror(pamh, rc)); \ + (do_end) && pam_end(pamh, rc); \ + exit(err_code); \ + } \ + } while (0) + + { + int rc; + pam_handle_t *pamh = NULL; + struct pam_conv pamc = { NULL }; + + PAM_CALL(pam_start("suexec", actual_uname, &pamc, &pamh), + "pam_start", 241, 0); + PAM_CALL(pam_open_session(pamh, PAM_SILENT), + "pam_open_session", 242, 1); + PAM_CALL(pam_close_session(pamh, PAM_SILENT), + "pam_close_session", 243, 1); + PAM_CALL(pam_end(pamh, 0), "pam_end", + 244, 0); + } + +#undef PAM_CALL +#endif /* SUEXEC_PAM_SESSION */ + /* * Change UID/GID here so that the following tests work over NFS. *
