}{ello,
I updated a device and use php fpm on openbsd 7.0
everything works fine after putting a resolv file in the chroot
but i can't send email from the chroot
I hope I didn't see something obvious.
to troubleshoot i drop the ksh inside the chroot
/var/www/usr/sbin/ksh:
Start End Type Open Ref GrpRef Name
00000e4fc4d74000 00000e4fc4e1a000 dlib 1 0 0
/var/www/usr/sbin/ksh
and wrote a stupid php
<?php
$output=null;
$retval=null;
# exec('/usr/sbin/sendmail -h 2>&1', $output, $retval);
exec ('/usr/sbin/ksh -c "echo a"', $output, $retval);
echo '<br/>';
echo "Returned with status $retval and output:\n";
echo '<br/>';
$rc = sprintf('%o', fileperms('/usr/sbin/sendmail'));
echo $rc;
echo '<br/>';
$rc = sprintf('ffoo: %o', fileperms('/usr/sbin/ffoo'));
echo $rc;
echo '<br/>';
print_r(array('o' => $output,'perm' => $rc, 'r' => $retval));
which output :
Returned with status 127 and output:
100555
ffoo: 100644
Array ( [o] => Array ( ) [perm] => ffoo: 100644 [r] => 127 )
which constantly returns 127 and no output ( also tried popen and
other methods , just use exec as a 'simpler' version.
Also used the ksh to double check ENV
chroot -u user /var/www /usr/sbin/ksh -c 'echo $USER'
and tested sendmail inside chroot with the chroot command.
After pondering the existence of the universe, i ktrace the php - fpm
process
ktrace -d -t cpxX -p 32152
and it's not really clear, i cannot see a vfork in there,
usr/local got the wxallowed
- -- -
(( I 80% sur the chrooted sendmail was delivered with
a pkg_add ))
# uname -a
OpenBSD portals2.citypassenger.com 7.0 GENERIC.MP#232 amd64
# pkg_info
argon2-20190702 C implementation of Argon2 - password hashing function
bzip2-1.0.8p0 block-sorting file compressor, unencumbered
curl-7.79.0 transfer files with FTP, HTTP, HTTPS, etc.
femail-1.0p1 simple SMTP client
femail-chroot-1.0p3 simple SMTP client for chrooted web servers
gd-2.3.2 library for dynamic creation of images
gettext-runtime-0.21p1 GNU gettext runtime libraries and programs
giflib-5.1.6 tools and library routines for working with GIF images
intel-firmware-20210608v0 microcode update binaries for Intel CPUs
jpeg-2.1.1v0 SIMD-accelerated JPEG codec replacement of libjpeg
libiconv-1.16p0 character set conversion library
libsodium-1.0.18p1 library for network communications and cryptography
libwebp-1.2.1 Google WebP image format conversion tool
libxml-2.9.12 XML parsing library
lz4-1.9.3p0 fast BSD-licensed data compression
lzo2-2.10p2 portable speedy lossless data compression library
mariadb-client-10.6.4v1 multithreaded SQL database (client)
mariadb-server-10.6.4p2v1 multithreaded SQL database (server)
nghttp2-1.44.0 library for HTTP/2
nginx-1.20.1p0 robust and small HTTP server and mail proxy server
oniguruma-6.9.7.1 regular expressions library
p5-Clone-0.45 recursively copy Perl datatypes
p5-DBD-MariaDB-1.21p3 MariaDB and MySQL driver for the Perl5 Database Interface
p5-DBI-1.643 the standard database interface module for Perl
p5-FreezeThaw-0.5001p0 module for converting structures to strings and back
p5-MLDBM-2.05p0 store multi-level hash structure in single-level tied hash
p5-Math-Base-Convert-0.11p0 very fast base to base conversion
p5-Module-Runtime-0.016p0 runtime module handling
p5-Net-Daemon-0.48p1 extension for portable daemons
p5-Params-Util-1.07p2 utility to make parameter checking easier
p5-PlRPC-0.2020p0 module for writing rpc servers and clients
p5-SQL-Statement-1.414 SQL parsing and processing engine
pcre-8.44 perl-compatible regular expression library
pcre2-10.36 perl-compatible regular expression library, version 2
php-7.4.24 server-side HTML-embedded scripting language
php-bz2-7.4.24 bzip2 compression extensions for php
php-curl-7.4.24 curl URL library extensions for php
php-gd-7.4.24 image manipulation extensions for php
php-mysqli-7.4.24 mysql database access extensions for php
png-1.6.37 library for manipulating PNG images
quirks-4.53 exceptions to pkg_add rules
snappy-1.1.8 fast compression/decompression library
sshguard-2.4.2 protect against brute force attacks on sshd and others
tiff-4.3.0 tools and library routines for working with TIFF images
vmm-firmware-1.14.0 firmware binary images for vmm(4) driver
xz-5.2.5 LZMA compression and decompression tools
zstd-1.5.0 zstandard fast real-time compression algorithm
# mount
/dev/sd0a on / type ffs (local)
/dev/sd0g on /home type ffs (local, nodev, nosuid)
/dev/sd0d on /tmp type ffs (local, nodev, nosuid)
/dev/sd0e on /usr type ffs (local, nodev)
/dev/sd0f on /usr/local type ffs (local, nodev, wxallowed)
/dev/sd0h on /var type ffs (local, nodev, nosuid)
# ls -l /var/www/usr/sbin
total 1920
-rw-r--r-- 1 root daemon 0 Oct 26 14:37 ffoo
-r-xr-xr-x 1 root daemon 613080 Oct 25 20:42 ksh
-r-xr-xr-x 1 root daemon 313176 Oct 23 00:31 sendmail
# kdump
20747 php-fpm-7.4 GIO fd 5 read 466 bytes
"<?php
# chdir '/var/www';
$output=null;
$retval=null;
# exec('/usr/sbin/sendmail -h 2>&1', $output, $retval);
exec ('/usr/sbin/ksh -c "echo a"', $output, $retval);
echo '<br/>';
echo "Returned with status $retval and output:\\n";
echo '<br/>';
$rc = sprintf('%o', fileperms('/usr/sbin/sendmail'));
echo $rc;
echo '<br/>';
$rc = sprintf('ffoo: %o', fileperms('/usr/sbin/ffoo'));
echo $rc;
echo '<br/>';
print_r(array('o' => $output,'perm' => $rc, 'r' => $retval));
"
20747 php-fpm-7.4 RET read 466/0x1d2
20747 php-fpm-7.4 CALL close(5)
20747 php-fpm-7.4 RET close 0
20747 php-fpm-7.4 CALL pipe2(0x7f7ffffe9ec8,0x10000<O_CLOEXEC>)
20747 php-fpm-7.4 RET pipe2 0
20747 php-fpm-7.4 CALL vfork()
20747 php-fpm-7.4 RET vfork 54384/0xd470
20747 php-fpm-7.4 CALL fcntl(5,F_GETFL)
20747 php-fpm-7.4 RET fcntl 2
20747 php-fpm-7.4 CALL close(6)
20747 php-fpm-7.4 RET close 0
20747 php-fpm-7.4 CALL fcntl(5,F_GETFD)
20747 php-fpm-7.4 RET fcntl 1
20747 php-fpm-7.4 CALL fcntl(5,F_SETFD,0)
20747 php-fpm-7.4 RET fcntl 0
20747 php-fpm-7.4 CALL read(5,0xed974075000,0x2000)
20747 php-fpm-7.4 RET read 0
20747 php-fpm-7.4 CALL close(5)
20747 php-fpm-7.4 RET close 0
20747 php-fpm-7.4 CALL wait4(54384,0x7f7ffffe9e5c,0<>,0)
20747 php-fpm-7.4 RET wait4 54384/0xd470
20747 php-fpm-7.4 CALL stat(0xed974055138,0x7f7ffffe9ed8)
20747 php-fpm-7.4 RET stat 0
20747 php-fpm-7.4 CALL stat(0xed97407d130,0x7f7ffffe9ed8)
20747 php-fpm-7.4 RET stat 0
20747 php-fpm-7.4 CALL chdir(0x7f7ffffea1e0)
20747 php-fpm-7.4 RET chdir 0
20747 php-fpm-7.4 CALL clock_gettime(CLOCK_MONOTONIC,0x7f7ffffeb6b0)
20747 php-fpm-7.4 RET clock_gettime 0
20747 php-fpm-7.4 CALL getrusage(RUSAGE_SELF,0x7f7ffffeb618)
20747 php-fpm-7.4 RET getrusage 0
20747 php-fpm-7.4 CALL getrusage(RUSAGE_CHILDREN,0x7f7ffffeb618)
20747 php-fpm-7.4 RET getrusage 0
20747 php-fpm-7.4 CALL clock_gettime(CLOCK_MONOTONIC,0x7f7ffffeb6a8)
20747 php-fpm-7.4 RET clock_gettime 0
20747 php-fpm-7.4 CALL setitimer(ITIMER_PROF,0x7f7ffffeb640,0)
20747 php-fpm-7.4 RET setitimer 0
20747 php-fpm-7.4 CALL write(3,0xed9aba26038,0xe8)
20747 php-fpm-7.4 GIO fd 3 wrote 232 bytes
"\^A\^F\0\^A\0\M-O\^A\0Content-type: text/html; charset=UTF-8\r
\r
<br/>Returned with status 127 and output:
<br/>100555<br/>ffoo: 100644<br/>Array
(
[o] => Array
(
)
[perm] => ffoo: 100644
[r] => 127
)
\0\^A\^C\0\^A\0\b\0\0\0\0\0\0\0o-b"
# grep -v '^;' /etc/php-7.4.ini | grep -v '^$'
[PHP]
engine = On
short_open_tag = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = -1
disable_functions =
disable_classes =
zend.enable_gc = On
zend.exception_ignore_args = On
expose_php = Off
max_execution_time = 30
max_input_time = 60
memory_limit = 128M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
include_path = ".:/pear/lib:/var/www/pear/lib"
doc_root =
user_dir =
extension_dir = "/usr/local/lib/php-7.4/modules"
enable_dl = Off
file_uploads = On
upload_max_filesize = 2M
max_file_uploads = 20
allow_url_fopen = Off
allow_url_include = Off
default_socket_timeout = 60
extension=bz2
extension=curl
extension=gd
extension=mysqli
[CLI Server]
cli_server.color = On
[Date]
date.timezone = UTC
[filter]
[iconv]
[imap]
[intl]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
sendmail_from = b...@realdomain.com
sendmail_path = /usr/sbin/sendmail -t -i
mail.add_x_header = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.cookie_samesite =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 5
[Assertion]
zend.assertions = -1
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[dba]
[opcache]
[curl]
[openssl]
[ffi]
# ps auxww | grep fpmuser
fpmuser 20747 0.0 0.4 30232 29648 ?? I 3:05PM 0:01.82
php-fpm-7.4: pool fpmuser (php-fpm-7.4)
# grep -v '^;' /etc/php-fpm.conf | grep -v '^$'
[global]
error_log = syslog
syslog.facility = daemon
syslog.ident = php-fpm
log_level = notice
include=/etc/php-fpm.d/*.conf
# grep -v '^;' /etc/php-fpm.d/fpmuser.conf | grep -v '^$'
[fpmuser]
user = fpmuser
group = www
listen = /var/www/run/php/fpm.fpmuser.sock
listen.owner = fpmuser
listen.group = www
listen.mode = 660
pm.max_children = 1
pm = dynamic
pm.max_children = 1
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
chroot = /var/www/
--
--
---------------------------------------------------------------------------------------------------------------------
Knowing is not enough; we must apply. Willing is not enough; we must do
