Bug 113748 - lang/php5 with Suhosin patch fails in jails.
Summary: lang/php5 with Suhosin patch fails in jails.
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Alex Dupre
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-16 12:10 UTC by edwin
Modified: 2008-12-10 14:00 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description edwin 2007-06-16 12:10:03 UTC
When using PHP5 with the Suhosin patch in a jail, I often get this
output on my screen:

    Warning: Unknown: failed to open stream: No such file or directory in Unknown on line 0

    Fatal error: Unknown: Failed opening required '/home/edwin/public_html/a.php' (include_path='.:/usr/local/share/pear') in Unknown on line 0

Other times it displays the right output.


See also:
	http://www.webmasterworld.com/apache/3193113.htm
	http://forum.hardened-php.net/viewtopic.php?id=135

Fix: 

Give warning in the OPTIONS screen that the Suhosin patch shouldn't
be used for PHP instances inside jails.
Comment 1 Edwin Groothuis freebsd_committer 2007-06-16 12:10:11 UTC
Responsible Changed
From-To: freebsd-ports-bugs->ale

Over to maintainer
Comment 2 edwin 2007-06-16 12:44:49 UTC
uname -a output:
    FreeBSD webtoo-mavetju.barnet.com.au 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 08:43:30 UTC 2007     root@portnoy.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  amd64

script: nothing special, it happens about 10-20% with every script.

[~] edwin@mavetju.org>cat public_html/a.php 
<?php

//header("Content-type: text/plain; charset=UTF-8");
header("Content-Disposition: attachment; filename=\"patch-1.diff\"");
//header("Content-Disposition: inline; filename=\"patch-1.diff\"");

?>
Index: mtree.8
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mtree/mtree.8,v
retrieving revision 1.55
diff -u -r1.55 mtree.8
--- mtree.8     29 Sep 2006 17:57:03 -0000      1.55
+++ mtree.8     14 Jun 2007 00:20:56 -0000
@@ -322,6 +322,17 @@
 .Sh EXIT STATUS
 .Ex -std
 .Sh EXAMPLES
+To create an
+.Pa /etc/mtree
+style BSD.*.dist file, use
+.Nm
+.Fl c
+.Fl d
+.Fl i
+.Fl n
+.Fl k 
+.Cm uname,gname,mode,nochange.
+.Pp
 To detect system binaries that have been ``trojan horsed'', it is recommended
 that
 .Nm

[~] edwin@mavetju.org>php -v
PHP 5.2.2 (cli) (built: Jun 16 2007 21:05:40) 
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
[~] edwin@mavetju.org>php -m
[PHP Modules]
date
libxml
Reflection
standard
xml

[Zend Modules]


No php.ini


-- 
Edwin Groothuis      |            Personal website: http://www.mavetju.org
edwin@mavetju.org    |              Weblog: http://www.mavetju.org/weblog/
Comment 3 Alex Dupre freebsd_committer 2007-06-20 07:01:58 UTC
State Changed
From-To: open->closed

Warning added.
Comment 4 dfilter service freebsd_committer 2007-06-20 07:01:58 UTC
ale         2007-06-20 06:01:50 UTC

  FreeBSD ports repository

  Modified files:
    lang/php4            Makefile 
    lang/php5            Makefile 
  Log:
  Add a comment about incompatibility between suhosin and FreeBSD jails.
  
  PR:             ports/113748
  Submitted by:   edwin
  
  Revision  Changes    Path
  1.115     +1 -1      ports/lang/php4/Makefile
  1.118     +1 -1      ports/lang/php5/Makefile
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 5 Maxim Khitrov 2007-06-20 23:51:00 UTC
Hello,

I'm running PHP 5.2.3 with Suhosin-Patch 0.9.6.2 in a FreeBSD 6.2 jail
and cannot reproduce this problem. I use Lighttpd as my web server
with PHP running as FastCGI. Earlier, I did notice some problems while
using the APC module; the FastCGI processes would continue to run but
would not respond. I couldn't track down exactly what was causing the
problem so I disabled APC until I have some time to look into it.
Without APC I have never noticed any problems running PHP with Suhosin
under FreeBSD jails, at least not with FastCGI and CLI interfaces.

- Maxim Khitrov
Comment 6 Miroslav Lachman 2007-07-29 10:11:31 UTC
Can you post some more details of your jail + php + apache setup?
I am not seeing your problems with Suhosin patch.
I am running 6.2-RELEASE-p6 i386 with GENERIC kernel, jail inside 3GB 
file based disk (mdconfig)
/dev/md0c on /vol0/jail/rain (ufs, local, soft-updates)
devfs on /vol0/jail/rain/dev (devfs, local)
apache-2.2.4_2
php5-5.2.2
php5-gd-5.2.2
php5-iconv-5.2.2
php5-mbstring-5.2.2
php5-mssql-5.2.2
php5-mysql-5.2.2
php5-pcre-5.2.2
php5-session-5.2.2
php5-sockets-5.2.2
php5-xml-5.2.2

PHP options:
WITH_CLI=true
WITH_CGI=true
WITH_APACHE=true
WITHOUT_DEBUG=true
WITH_SUHOSIN=true
WITH_MULTIBYTE=true
WITH_IPV6=true
WITH_MAILHEAD=true
WITHOUT_REDIRECT=true
WITHOUT_DISCARD=true
WITH_FASTCGI=true
WITH_PATHINFO=true

Is it possible, that the problem is only related to SMP or AMD64, or 
something else?

Miroslav Lachman
Comment 7 Michael Scheidell 2008-12-10 13:33:25 UTC
It APPEARS the APC issue has been fixed with this php.ini configuration 
variable:

suhosin.apc_bug_workaround

    *
      Type: Boolean
    *
      Default: Off

APC 3.0.12(p1/p2) uses reserved resources without requesting a resource 
slot first. It always uses resource slot 0. If Suhosin got this slot 
assigned APC will overwrite the information Suhosin stores in this slot. 
When this flag is set Suhosin will request 2 Slots and use the second 
one. This allows working correctly with these buggy APC versions.

http://www.hardened-php.net/suhosin/configuration.html

-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * King of Spam Filters, SC Magazine 2008
    * Information Security Award 2008, Info Security Products Guide
    * CRN Magazine Top 40 Emerging Security Vendors


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________