pitter patter on the keyboard

This is a very old bug but I’m covering it here anyway because it keeps popping up on dusty servers and I forget how to solve it.

If you do a world update on a box that hasn’t had one in about a year you might notice that dev-perl/DBD-mysql (in the case in front of me, 4.01.3) fails to compile and nothing you do with perl-cleaner seems to fix it. You need to force-rebuild dev-perl/DBI.

# emerge -1 dev-perl/DBI

Gentoo recently made the switch from lzma-utils to xz-utils, to quote the project page at http://tukaani.org/lzma/:

LZMA Utils are legacy data compression software with high compression ratio. LZMA Utils are no longer developed, although critical bugs may be fixed as long as fixing them doesn’t require huge changes to the code.

Users of LZMA Utils should move to XZ Utils. XZ Utils support the legacy .lzma format used by LZMA Utils, and can also emulate the command line tools of LZMA Utils. This should make transition from LZMA Utils to XZ Utils relatively easy.

As you are probably aware, Portage has largely used lzma for the past year – before which bzip2 was the compression standard of choice. If alarm bells went off in your head when you saw this message:

[blocks B     ] app-arch/lzma-utils ("app-arch/lzma-utils" is blocking app-arch/xz-utils-4.999.9_beta)

You can rest easy uninstalling lzma, the xz-utils package comes in a good ol’ fashioned tarball and it works as a drop-in replacement for it so it’s safe to unmerge lzma-utils completely then – before emerging anything else – emerge xz-utils:

# emerge --unmerge lzma-utils; emerge xz-utils

 app-arch/lzma-utils
 selected: 4.32.7
 protected: none   
 omitted: none   

>>> 'Selected' packages are slated for removal.
>>> 'Protected' and 'omitted' packages will not be removed.

>>> Waiting 5 seconds before starting...
>>> (Control-C to abort)...
>>> Unmerging in: 5 4 3 2 1
>>> Unmerging app-arch/lzma-utils-4.32.7...

 * GNU info directory index is up-to-date.
Calculating dependencies... done!

# emerge xz-utils
Calculating dependencies... done!

>>> Verifying ebuild manifests

>>> Emerging (1 of 1) app-arch/xz-utils-4.999.9_beta
>>> Downloading 'http://gentoo.osuosl.org/distfiles/xz-4.999.9beta.tar.gz'

I’ll take this opportunity to point out that in this day and age the word beta has become such a gimmick that Gentoo is including so-called beta software as part of its core system. Back in my day beta meant beta and you had to walk 17 miles uphill both ways to get to the nearest phone jack. Mind you we didn’t call them modems in those days, we called em clinkerdinkers….

Way to go, Internet.

Suhosin is a Korean word which, roughly translated, means guardian angel. It is also the name of a clever PHP extension brought to us by the Hardened-PHP Project. When I found out it could provide transparent on-the-fly session and cookie encryption I thought sexual thoughts and sped off to install it. Fortunately for gentoo users, it’s a simple matter of adding the suhosin USE flag to PHP and (re)compiling:

# echo "dev-lang/php suhosin" >> /etc/portage/package.use
# emerge --newuse php

In fact, now is probably a good time to reevaluate your PHP USE flags; I tend to disable a bunch of functions that would simply not exist if certain extensions were not compiled in at all. This is what your stripped-down flags might look like:

[ebuild R ] dev-lang/php-5.2.13 USE="apache2 bcmath berkdb bzip2 cgi cli crypt ctype exif filter gd hash iconv ipv6 json mysql mysqli ncurses nls pcntl pcre pdo readline reflection session simplexml snmp spl ssl suhosin threads truetype unicode xml zip zlib -adabas -birdstep -calendar -cdb -cjk -concurrentmodphp -curl -curlwrappers -db2 -dbase -dbmaker -debug -discard-path -doc -empress -empress-bcs -esoob -fastbuild -fdftk -firebird -flatfile -force-cgi-redirect -frontbase -ftp -gd-external -gdbm -gmp -imap -inifile -interbase -iodbc (-java-external) -kerberos -kolab -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -oci8 -oci8-instant-client -odbc -pic -posix -postgres -qdbm -recode -sapdb -sharedext -sharedmem -soap -sockets -solid -spell -sqlite -sybase -sybase-ct -sysvipc -tidy -tokenizer -wddx -xmlreader -xmlrpc -xmlwriter -xpm -xsl -yaz"

Once you’ve recompiled you’re going to have to add the Suhosin configuration directives to your php.ini. For apache open /etc/php/apache-php5/php.ini and tack this on to the end:

; Logging
suhosin.log.syslog = S_ALL
suhosin.log.syslog.facility = LOG_USER
suhosin.log.syslog.priority = LOG_WARNING
suhosin.log.sapi = S_ALL
;suhosin.log.script
;suhosin.log.phpscript
;suhosin.log.script.name
;suhosin.log.phpscript.name
;suhosin.log.use-x-forwarded-for

; Executor Options
suhosin.executor.max_depth = 1000000
suhosin.executor.include.max_traversal = 3
;suhosin.executor.include.whitelist
;suhosin.executor.include.blacklist
;suhosin.executor.func.whitelist
suhosin.executor.func.blacklist = ""
;suhosin.executor.eval.whitelist
suhosin.executor.eval.blacklist = ""
suhosin.executor.disable_eval = On
suhosin.executor.disable_emodifier = On
suhosin.executor.allow_symlink = Off

; Misc Options
suhosin.simulation = Off
suhosin.apc_bug_workaround = Off
suhosin.sql.bailout_on_error = On
;suhosin.sql.user_prefix
;suhosin.sql.user_postfix
suhosin.multiheader = On
suhosin.mail.protect = 2
;suhosin.memory_limit

; Transparent Encryption Options
suhosin.session.encrypt = On
suhosin.session.cryptkey = "INSERT RANDOM CRAP HERE"
suhosin.session.cryptua = On
suhosin.session.cryptdocroot = On
suhosin.session.cryptraddr = 2
suhosin.session.checkraddr = 2
suhosin.cookie.encrypt = On
suhosin.cookie.cryptkey = "INSERT RANDOM CRAP HERE"
suhosin.cookie.cryptua = On
suhosin.cookie.cryptdocroot = On
suhosin.cookie.cryptraddr = 2
suhosin.cookie.checkraddr = 2
;suhosin.cookie.cryptlist
;suhosin.cookie.plainlist

; Filtering Options
suhosin.filter.action = 402
suhosin.cookie.max_array_depth = 100
suhosin.cookie.max_array_index_length = 64
suhosin.cookie.max_name_length = 64
suhosin.cookie.max_totalname_length = 256
suhosin.cookie.max_value_length = 10000
suhosin.cookie.max_vars = 100
suhosin.cookie.disallow_nul = On
suhosin.get.max_array_depth = 50
suhosin.get.max_array_index_length = 64
suhosin.get.max_name_length = 64
suhosin.get.max_totalname_length = 256
suhosin.get.max_value_length = 512
suhosin.get.max_vars = 100
suhosin.get.disallow_nul = On
suhosin.post.max_array_depth = 100
suhosin.post.max_array_index_length = 64
suhosin.post.max_name_length = 64
suhosin.post.max_totalname_length = 256
suhosin.post.max_value_length = 50000000
suhosin.post.max_vars = 200
suhosin.post.disallow_nul = On
suhosin.request.max_array_depth = 100
suhosin.request.max_array_index_length = 64
suhosin.request.max_totalname_length = 256
suhosin.request.max_value_length = 65000
suhosin.request.max_vars = 200
suhosin.request.max_varname_length = 64
suhosin.request.disallow_nul = On
suhosin.upload.max_uploads = 25
suhosin.upload.disallow_elf = On
suhosin.upload.disallow_binary = Off
suhosin.upload.remove_binary = Off
;suhosin.upload.verification_script
suhosin.session.max_id_length = 128

Now head over to http://www.hardened-php.net/suhosin/configuration.html and tailor the configuration to suit your environment. Don’t forget to blacklist dangerous functions like apache_child_terminate, apache_setenv, define_syslog_variables, eval, exec, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode, exec, pipe, set_time_limit, popen, proc_open, parse_ini_file, show_source, mail, dl, ini_set, ini_alter, virtual, openlog, apc_add, apc_bin_dump, apc_bin_dumpfile, apc_bin_loadfile, apc_cache_info, apc_cas, apc_clear_cache, apc_compile_file, apc_dec, apc_define_constants, apc_delete_file, apc_delete, apc_exists, apc_fetch, apc_inc, apc_load_constants, apc_store, symlink and eval!

It seems Suhosin provides its own stack-smashing protection, potentially removing the need for the slow PIC (-fstack_protector_all) compile-time option. Until I get confirmation on this I’ll be using both just to be safe.