Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 117995 - dev-lang/php-5.1.1 cli killed in hardened system
Summary: dev-lang/php-5.1.1 cli killed in hardened system
Status: RESOLVED TEST-REQUEST
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: PHP Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-06 00:10 UTC by Steve Yin
Modified: 2006-01-20 20:14 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Steve Yin 2006-01-06 00:10:23 UTC 
I have installed the dev-lang/php-5.1.1 with the cli enabled, but every run of php cli, it will be killed at the end of run. So, I can not run the pear cmd, thus I can not upgrade the PEAR-* package.

Jan  6 15:38:39 [kernel] grsec: From 192.168.0.2: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib/php5/bin/php[php:12418] uid/euid:0/0 gid/egid:0/0, parent bin/bash[bash:12415] uid/euid:0/0 gid/egid:0/0

here is the use flag:
[ebuild   R   ] dev-lang/php-5.1.1  -adabas -apache +apache2 +bcmath +berkdb -birdstep +bzip2 +calendar -cdb -cgi +cjk +cli +crypt +ctype +curl +curlwrappers -db2 +dba +dbase -dbmaker -debug -discard-path -doc -empress -empress-bcs -esoob +exif -fastbuild -fdftk +filepro -firebird +flatfile -force-cgi-redirect -frontbase +ftp +gd -gd-external +gdbm +gmp -hardenedphp -hyperwave-api +iconv +imap -informix +inifile -interbase -iodbc +ipv6 -java-external +kerberos +ldap -libedit +mcve -memlimit +mhash +ming -msql -mssql +mysql +mysqli +ncurses +nls -oci8 (-oci8-instant-client) +odbc +pcntl +pcre +pdo -pdo-external +pear +pic +posix +postgres -qdbm +readline -recode -sapdb +sasl +session +sharedext -sharedmem +simplexml +snmp +soap +sockets -solid +spell +spl +sqlite +ssl -sybase -sybase-ct +sysvipc +threads +tidy +tokenizer +truetype -vm-goto  -vm-switch +wddx +xml +xmlreader +xmlrpc +xpm +xsl -yaz +zip +zlib 0 kB 


here is the emerge info:
server critical # emerge info
Portage 2.0.53 (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.5-r2, 2.6.14-hardened-r3 
i686)
=================================================================
System uname: 2.6.14-hardened-r3 i686 Intel(R) Pentium(R) 4 CPU 2.00GHz
Gentoo Base System version 1.6.13
dev-lang/python:     2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe -DNDEBUG"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X1
1/xkb /usr/share/config /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe -DNDEBUG"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://mirror.datapipe.net/pub/gentoo http://mirror.averse.net/p
ub/gentoo"
LC_ALL="en_US.UTF-8"
MAKEOPTS="-j5"
PKGDIR="/usr/portage//packages/x86/"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage/"
SYNC="rsync://owl.gentoo.org/gentoo-portage"
USE="X acl acpi alsa apache2 authdaemond bash-completion bcmath berkdb bluetooth
 bzip2 bzlib caps cjk crypt cscope ctype cups curl curlwrappers dlloader emacs-w
3 exif expat fam fortran gd gdbm gmp gnutls gpm guile hardened idn imap innodb i
pv6 ithreads java javascript jpeg kerberos ldap libg++ lm_sensors logrotate mail
dir mailwrapper mhash mime ming mmap mmx mng motif mysql mysqli ncurses nis nls 
nptl nptlonly odbc opengl pam pcmcia pcntl pcre pda pear perl php pic pie png pn
p posix postgres profile python readline ruby samba sasl session sftplogging sha
redext simplexml skey slang slp snmp soap sockets socks5 spell spl sqlite sse ss
l svg symlink tcltk tcpd tetex threads tidy tiff truetype udev unicode usb vhost
s x86 xml xml2 xmlrpc xpm xv zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
Comment 1 Robert Paskowitz (RETIRED) gentoo-dev 2006-01-06 01:30:22 UTC 
Hardened has nothing (apparent) to do with the crash, grsecurity is just reporting system events, see:
http://www.grsecurity.net/wiki/index.php/GrsecurityFAQ

Feel free to re-assign if anything turns up showing a link between hardened and the cause of the event causing php to attempt to dump core.
Comment 2 Steve Yin 2006-01-20 05:39:04 UTC 
Today, I found this: on my normal system(not using hardened toolchain), the php cli will segfault on it's exit with both php-5.1.1 and php-5.1.2(tested use overlay).

So, Seems This is not a hardened problem, just php cli problem, seg fault on normal system, killed by hardened system.
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2006-01-20 05:49:44 UTC 
(In reply to comment #2)
> Today, I found this: on my normal system(not using hardened toolchain), the php
> cli will segfault on it's exit with both php-5.1.1 and php-5.1.2(tested use
> overlay).

I definitely don't get any CLI segfaults with php-5.1.1 on either hardened or unhardened system. Recompile your toolchain and dev-lang/php without -DNDEBUG and similar unsupported cruft in your C[XX]FLAGS and reopen if the issue still persists then.
Comment 4 Steve Yin 2006-01-20 20:14:22 UTC 
This makes no sense to me, I've rebuilt my php with CFLAGS="-march=nocona -O2 -pipe -fomit-frame-pointer", but it still killed by hardened system.

So, if this is a problem of -DNDEBUG, why the apache2-sapi works really really fine? The whole system works perfect, only php-cli get seg fault?

This both happend to my amd64 and x86, 3 server, plus 2 non-hardened desktop all the same, All built with -DNDEBUG, only >=php-5.1.1 get this problem.