Re: [Fwd: Suhosin Segmentation Fault]
On Wed, Oct 15, 2008 at 07:25:08PM +0200, Alain Wolf wrote: Not much return on freebsd-isp. I try again here on freebsd-questions. Original-Nachricht Betreff: Suhosin Segmentation Fault Datum: Mon, 13 Oct 2008 09:49:09 +0200 Von: Alain Wolf [EMAIL PROTECTED] An: [EMAIL PROTECTED] Newsgruppen: gmane.os.freebsd.isp After upgrading FreeBSD from 6.3-p3 to 6.3-p5 on our server, all websites just display a blank page and every HTTP request created a line as follows in the logs: child pid 80326 exit signal Segmentation fault (11) This same problem happened on another server a few months ago after the upgrade from 6.3-p3 to 6.3-p4, but after a rebuild of all FreeBSD ports all went back to normal. However several rebuilds of all ports did not solve the problem on this one. To narrow down the problem: After disabling the PHP module in Apache the problem disappears. Re-enabling PHP, but disabling the Suhosin extension also works fine. The trick found in this forum, to load the Suhosin extension before all other PHP extensions in /usr/local/etc/php/extensions.ini does not help. In fact not loading any extension at all except Suhosin creates the segfault errors. Suhosin is not an extension you load in extensions.ini; it's a patch applied to the core of PHP. The extension ordering problem, however, has been thoroughly discussed on -ports in the past. It happens to some and not others. There is no guaranteed way to determine what works and what doesn't. You have to literally enable line-by-line until you figure out which one is causing the problem. You can also try building lang/php5 with DEBUG enabled and then when PHP segfaults, run gdb on the coredump and see if you can get a coherent backtrace (sometimes difficult with Apache in the way) to see what sort of functions are causing the crash; often each extension has its own function names, so that might give you some clues. PHP (cli) seems to run fine at all times when called from the command-line. Now that's very interesting, given as the CLI version also loads all the extensions listed in extensions.ini. Can you post your /usr/local/etc/php/extensions.ini? You didn't list off what extensions you have installed. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [Fwd: Suhosin Segmentation Fault]
Jeremy Chadwick wrote: Suhosin is not an extension you load in extensions.ini; it's a patch applied to the core of PHP. % grep suhosin /usr/local/etc/php/extensions.ini extension=suhosin.so It's both a set of patches to the PHP core, and a loadable module. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: [Fwd: Suhosin Segmentation Fault]
On Wed, Oct 15, 2008 at 08:26:09PM +0100, Matthew Seaman wrote: Jeremy Chadwick wrote: Suhosin is not an extension you load in extensions.ini; it's a patch applied to the core of PHP. % grep suhosin /usr/local/etc/php/extensions.ini extension=suhosin.so It's both a set of patches to the PHP core, and a loadable module. Cheers, Matthew Are you sure? # find /usr/local/lib/php -name *suhosin* -ls # # grep -i suhosin /var/db/ports/php5/options WITH_SUHOSIN=true # grep -i suhosin /usr/local/etc/php/extensions.ini # # pkg_version -v | grep php5 php5-5.2.6_2= up-to-date with port php5-extensions-1.1 = up-to-date with port php5-mysql-5.2.6_2 = up-to-date with port php5-pcre-5.2.6_2 = up-to-date with port php5-simplexml-5.2.6_2 = up-to-date with port # grep -i php5 /usr/local/etc/apache22/httpd.conf LoadModule php5_modulelibexec/apache22/libphp5.so # php -i | grep -i suhosin This server is protected with the Suhosin Patch 0.9.6.2 suhosin.log.phpscript = 0 = 0 suhosin.log.phpscript.is_safe = Off = Off suhosin.log.phpscript.name = no value = no value suhosin.log.sapi = no value = no value suhosin.log.script = no value = no value suhosin.log.script.name = no value = no value suhosin.log.syslog = no value = no value suhosin.log.syslog.facility = no value = no value suhosin.log.syslog.priority = no value = no value suhosin.log.use-x-forwarded-for = Off = Off :-) -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [Fwd: Suhosin Segmentation Fault]
On Wed, Oct 15, 2008 at 2:35 PM, Jeremy Chadwick [EMAIL PROTECTED] wrote: On Wed, Oct 15, 2008 at 08:26:09PM +0100, Matthew Seaman wrote: Jeremy Chadwick wrote: Suhosin is not an extension you load in extensions.ini; it's a patch applied to the core of PHP. % grep suhosin /usr/local/etc/php/extensions.ini extension=suhosin.so It's both a set of patches to the PHP core, and a loadable module. Cheers, Matthew Are you sure? Yes - the suhosin extension is located in the ports tree at: /usr/ports/security/php-suhosin Install instructions are at: http://www.hardened-php.net/suhosin/how_to_install_or_upgrade.html#installing_the_extension It's been a while since I've looked at the suhosin options and I can't remember what the differences are between the extension and the core-php patch. Matt # find /usr/local/lib/php -name *suhosin* -ls # # grep -i suhosin /var/db/ports/php5/options WITH_SUHOSIN=true # grep -i suhosin /usr/local/etc/php/extensions.ini # # pkg_version -v | grep php5 php5-5.2.6_2= up-to-date with port php5-extensions-1.1 = up-to-date with port php5-mysql-5.2.6_2 = up-to-date with port php5-pcre-5.2.6_2 = up-to-date with port php5-simplexml-5.2.6_2 = up-to-date with port # grep -i php5 /usr/local/etc/apache22/httpd.conf LoadModule php5_modulelibexec/apache22/libphp5.so # php -i | grep -i suhosin This server is protected with the Suhosin Patch 0.9.6.2 suhosin.log.phpscript = 0 = 0 suhosin.log.phpscript.is_safe = Off = Off suhosin.log.phpscript.name = no value = no value suhosin.log.sapi = no value = no value suhosin.log.script = no value = no value suhosin.log.script.name = no value = no value suhosin.log.syslog = no value = no value suhosin.log.syslog.facility = no value = no value suhosin.log.syslog.priority = no value = no value suhosin.log.use-x-forwarded-for = Off = Off :-) -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [Fwd: Suhosin Segmentation Fault]
Hi, all-- On Oct 15, 2008, at 12:47 PM, Matt wrote: It's been a while since I've looked at the suhosin options and I can't remember what the differences are between the extension and the core-php patch. If you check the following, they discuss the difference in protection between using just the patch versus the extension: http://www.hardened-php.net/suhosin/why.html http://www.hardened-php.net/suhosin/a_feature_list.html Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [Fwd: Suhosin Segmentation Fault]
On 15.10.2008 20:55, Jeremy Chadwick wrote: On Wed, Oct 15, 2008 at 07:25:08PM +0200, Alain Wolf wrote: Not much return on freebsd-isp. I try again here on freebsd-questions. Original-Nachricht Betreff: Suhosin Segmentation Fault Datum: Mon, 13 Oct 2008 09:49:09 +0200 Von: Alain Wolf [EMAIL PROTECTED] An: [EMAIL PROTECTED] Newsgruppen: gmane.os.freebsd.isp After upgrading FreeBSD from 6.3-p3 to 6.3-p5 on our server, all websites just display a blank page and every HTTP request created a line as follows in the logs: child pid 80326 exit signal Segmentation fault (11) This same problem happened on another server a few months ago after the upgrade from 6.3-p3 to 6.3-p4, but after a rebuild of all FreeBSD ports all went back to normal. However several rebuilds of all ports did not solve the problem on this one. To narrow down the problem: After disabling the PHP module in Apache the problem disappears. Re-enabling PHP, but disabling the Suhosin extension also works fine. The trick found in this forum, to load the Suhosin extension before all other PHP extensions in /usr/local/etc/php/extensions.ini does not help. In fact not loading any extension at all except Suhosin creates the segfault errors. Suhosin is not an extension you load in extensions.ini; it's a patch applied to the core of PHP. Suhosin is *both*. A patch for php and a extension module for PHP. From http://www.hardened-php.net/suhosin/index.html: Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections. The suhosin patch works fine on our servers. But the extension does not. The extension ordering problem, however, has been thoroughly discussed on -ports in the past. It happens to some and not others. There is no guaranteed way to determine what works and what doesn't. You have to literally enable line-by-line until you figure out which one is causing the problem. I tried enabling and disabling extensions. All of them work, as long as suhosin.so is not loaded. Regardless of the order. If I disable all other extensions and load only suhosin.so in /usr/local/etc/php/extensions.ini the apache processes are still crashing. You can also try building lang/php5 with DEBUG enabled and then when PHP segfaults, run gdb on the coredump and see if you can get a coherent backtrace (sometimes difficult with Apache in the way) to see what sort of functions are causing the crash; often each extension has its own function names, so that might give you some clues. Hard for me, as this disrupts customer services. We are running without the extensions for now. PHP (cli) seems to run fine at all times when called from the command-line. Now that's very interesting, given as the CLI version also loads all the extensions listed in extensions.ini. Can you post your /usr/local/etc/php/extensions.ini? You didn't list off what extensions you have installed. cat /usr/local/etc/php/extensions.ini extension=gd.so extension=ctype.so extension=pcre.so extension=session.so extension=bz2.so extension=openssl.so extension=zlib.so extension=mbstring.so extension=mysql.so extension=pdf.so extension=mcrypt.so extension=simplexml.so extension=spl.so extension=mysqli.so extension=xml.so extension=iconv.so extension=hash.so extension=tokenizer.so extension=calendar.so extension=ftp.so extension=xmlrpc.so extension=xmlwriter.so extension=zip.so extension=filter.so ;extension=suhosin.so extension=wddx.so extension=mhash.so extension=json.so extension=dom.so extension=xmlreader.so extension=exif.so extension=ncurses.so extension=gettext.so extension=ldap.so extension=pdo.so extension=soap.so extension=tidy.so extension=pdo_sqlite.so extension=apc.so extension=readline.so extension=xsl.so extension=curl.so ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [Fwd: Suhosin Segmentation Fault]
On Wed, Oct 15, 2008 at 02:47:00PM -0500, Matt wrote: On Wed, Oct 15, 2008 at 2:35 PM, Jeremy Chadwick [EMAIL PROTECTED] wrote: On Wed, Oct 15, 2008 at 08:26:09PM +0100, Matthew Seaman wrote: Jeremy Chadwick wrote: Suhosin is not an extension you load in extensions.ini; it's a patch applied to the core of PHP. % grep suhosin /usr/local/etc/php/extensions.ini extension=suhosin.so It's both a set of patches to the PHP core, and a loadable module. Cheers, Matthew Are you sure? Yes - the suhosin extension is located in the ports tree at: /usr/ports/security/php-suhosin Install instructions are at: http://www.hardened-php.net/suhosin/how_to_install_or_upgrade.html#installing_the_extension It's been a while since I've looked at the suhosin options and I can't remember what the differences are between the extension and the core-php patch. Deep within their forums, I found an answer in a thread. The thread pointed me to this: http://www.hardened-php.net/suhosin/a_feature_list.html Engine Protection is not available in security/php-suhosin. Seems to me that the benefits of using the patch version easily outweigh that of the extension version, solely for protection against formatted string vulnerabilities. I also found this amusing tidbit, which is a sticky post on their forum: http://forum.hardened-php.net/viewtopic.php?id=122 That sticky also states that pspell.so will cause Suhosin to crash, advocating that pspell.so must come last in extension.so, but then also advocates simply not using pspell at all. I'm sure that does nothing but confuse users. Seems the OP has also posted there: http://forum.hardened-php.net/viewtopic.php?id=501 It would be interesting to know if the segfaults people experience are specific to the extension version of Suhosin. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [Fwd: Suhosin Segmentation Fault]
On Wed, Oct 15, 2008 at 10:01:13PM +0200, Alain Wolf wrote: On 15.10.2008 20:55, Jeremy Chadwick wrote: On Wed, Oct 15, 2008 at 07:25:08PM +0200, Alain Wolf wrote: Not much return on freebsd-isp. I try again here on freebsd-questions. Original-Nachricht Betreff: Suhosin Segmentation Fault Datum: Mon, 13 Oct 2008 09:49:09 +0200 Von: Alain Wolf [EMAIL PROTECTED] An: [EMAIL PROTECTED] Newsgruppen: gmane.os.freebsd.isp After upgrading FreeBSD from 6.3-p3 to 6.3-p5 on our server, all websites just display a blank page and every HTTP request created a line as follows in the logs: child pid 80326 exit signal Segmentation fault (11) This same problem happened on another server a few months ago after the upgrade from 6.3-p3 to 6.3-p4, but after a rebuild of all FreeBSD ports all went back to normal. However several rebuilds of all ports did not solve the problem on this one. To narrow down the problem: After disabling the PHP module in Apache the problem disappears. Re-enabling PHP, but disabling the Suhosin extension also works fine. The trick found in this forum, to load the Suhosin extension before all other PHP extensions in /usr/local/etc/php/extensions.ini does not help. In fact not loading any extension at all except Suhosin creates the segfault errors. Suhosin is not an extension you load in extensions.ini; it's a patch applied to the core of PHP. Suhosin is *both*. A patch for php and a extension module for PHP. From http://www.hardened-php.net/suhosin/index.html: Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections. Except their own website contradicts themselves in many other places, including on their forums *and* in other documentation. I can refer you to some documentation of theirs that states Suhosin extension sometimes causes other extensions to crash because they try to access internal variables wrongly. You are supposed to use one or the other: the patch, or the extension. You've probably read my other mail by now, so you know that I advocate use of the patch. The suhosin patch works fine on our servers. But the extension does not. So disable it and use only the patch -- problem solved. I'm CC'ing ale@ on this thread, because he's probably not on -questions, and this has now become a -ports thing. He can comment on what to do about these crashes. I'm of the opinion that security/php-suhosin should be nuked, especially if the patch works fine for everyone but the extension causes problems. The extension ordering problem, however, has been thoroughly discussed on -ports in the past. It happens to some and not others. There is no guaranteed way to determine what works and what doesn't. You have to literally enable line-by-line until you figure out which one is causing the problem. I tried enabling and disabling extensions. All of them work, as long as suhosin.so is not loaded. Regardless of the order. If I disable all other extensions and load only suhosin.so in /usr/local/etc/php/extensions.ini the apache processes are still crashing. You can also try building lang/php5 with DEBUG enabled and then when PHP segfaults, run gdb on the coredump and see if you can get a coherent backtrace (sometimes difficult with Apache in the way) to see what sort of functions are causing the crash; often each extension has its own function names, so that might give you some clues. Hard for me, as this disrupts customer services. We are running without the extensions for now. PHP (cli) seems to run fine at all times when called from the command-line. Now that's very interesting, given as the CLI version also loads all the extensions listed in extensions.ini. Can you post your /usr/local/etc/php/extensions.ini? You didn't list off what extensions you have installed. cat /usr/local/etc/php/extensions.ini extension=gd.so extension=ctype.so extension=pcre.so extension=session.so extension=bz2.so extension=openssl.so extension=zlib.so extension=mbstring.so extension=mysql.so extension=pdf.so extension=mcrypt.so extension=simplexml.so extension=spl.so extension=mysqli.so extension=xml.so extension=iconv.so extension=hash.so extension=tokenizer.so extension=calendar.so extension=ftp.so extension=xmlrpc.so extension=xmlwriter.so extension=zip.so extension=filter.so ;extension=suhosin.so extension=wddx.so extension=mhash.so extension=json.so extension=dom.so extension=xmlreader.so extension=exif.so extension=ncurses.so extension=gettext.so extension=ldap.so extension=pdo.so extension=soap.so extension=tidy.so extension=pdo_sqlite.so
Re: [Fwd: Suhosin Segmentation Fault]
Jeremy Chadwick wrote: You are supposed to use one or the other: the patch, or the extension. Nope, they can be used alone or mixed together (I use both on my servers). For a detailed explanation see: http://www.hardened-php.net/suhosin/why.html I'm CC'ing ale@ on this thread, because he's probably not on -questions, and this has now become a -ports thing. He can comment on what to do about these crashes. Compile PHP in debug and post a backtrace. The suhosin author is a FreeBSD committer, so he can surely help solving the problem. I'm of the opinion that security/php-suhosin should be nuked, especially if the patch works fine for everyone but the extension causes problems. See above. If I disable all other extensions and load only suhosin.so in /usr/local/etc/php/extensions.ini the apache processes are still crashing. Apache version? -- Alex Dupre ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
