pitter patter on the keyboard

I noticed this nasty wee bugger last week:

[notice] seg fault or similar nasty error detected in the parent process

The first time it happened the drop in traffic did not correlate with the daily init scripts but when the second occurance this morning did I finally had somewhere to start. The default logrotate script for apache on gentoo (and many other flavours) does a graceful reload once the log files have been rotated to release their inodes. Now I could reproduce the issue:

# /etc/init.d/apache2 reload
 * Gracefully restarting apache2 ...
# /etc/init.d/apache2 restart
 * Stopping apache2 ...
httpd (pid 2505?) not running                                                [ ok ]
 * Starting apache2 ...
 * start-stop-daemon: /usr/sbin/apache2 is already running
# /etc/init.d/apache2 stop   
 * Stopping apache2 ...
httpd (pid 2505?) not running
# /etc/init.d/apache2 start
 * Starting apache2 ...
 * start-stop-daemon: /usr/sbin/apache2 is already running

Poking around this seems to usually be caused by loading bad/wrong/nonexistent libraries in the php.ini – and I am guilty of carrying over old php.inis on upgrade. Updating and switching to the distributed php.ini for my installed version of php seems to have solved this issue.

Sometimes it really is my fault :p

If you don’t keep your php.ini in sync with your PHP version you might be wondering why very large forms seem to be missing their bottom half when you go to analyse your $_POST array. Newer releases of PHP have a configuration directive called max_input_fields with a default value of 1000 which is meant to help reduce the risk of DoS.

I’ve seen it argued that forms with over 1000 fields can probably be organised a better way, and that’s mostly true – but what happens when your software is a dynamically generated spreadsheet a la CSV verification and pre-processing?

You might want to take this as a cue to update your php.ini but it’s also safe to drop

max_input_fields = 40960

or some other number reasonably tuned to your needs into your existing config.

Suhosin is a Korean word which, roughly translated, means guardian angel. It is also the name of a clever PHP extension brought to us by the Hardened-PHP Project. When I found out it could provide transparent on-the-fly session and cookie encryption I thought sexual thoughts and sped off to install it. Fortunately for gentoo users, it’s a simple matter of adding the suhosin USE flag to PHP and (re)compiling:

# echo "dev-lang/php suhosin" >> /etc/portage/package.use
# emerge --newuse php

In fact, now is probably a good time to reevaluate your PHP USE flags; I tend to disable a bunch of functions that would simply not exist if certain extensions were not compiled in at all. This is what your stripped-down flags might look like:

[ebuild R ] dev-lang/php-5.2.13 USE="apache2 bcmath berkdb bzip2 cgi cli crypt ctype exif filter gd hash iconv ipv6 json mysql mysqli ncurses nls pcntl pcre pdo readline reflection session simplexml snmp spl ssl suhosin threads truetype unicode xml zip zlib -adabas -birdstep -calendar -cdb -cjk -concurrentmodphp -curl -curlwrappers -db2 -dbase -dbmaker -debug -discard-path -doc -empress -empress-bcs -esoob -fastbuild -fdftk -firebird -flatfile -force-cgi-redirect -frontbase -ftp -gd-external -gdbm -gmp -imap -inifile -interbase -iodbc (-java-external) -kerberos -kolab -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -oci8 -oci8-instant-client -odbc -pic -posix -postgres -qdbm -recode -sapdb -sharedext -sharedmem -soap -sockets -solid -spell -sqlite -sybase -sybase-ct -sysvipc -tidy -tokenizer -wddx -xmlreader -xmlrpc -xmlwriter -xpm -xsl -yaz"

Once you’ve recompiled you’re going to have to add the Suhosin configuration directives to your php.ini. For apache open /etc/php/apache-php5/php.ini and tack this on to the end:

; Logging
suhosin.log.syslog = S_ALL
suhosin.log.syslog.facility = LOG_USER
suhosin.log.syslog.priority = LOG_WARNING
suhosin.log.sapi = S_ALL
;suhosin.log.script
;suhosin.log.phpscript
;suhosin.log.script.name
;suhosin.log.phpscript.name
;suhosin.log.use-x-forwarded-for

; Executor Options
suhosin.executor.max_depth = 1000000
suhosin.executor.include.max_traversal = 3
;suhosin.executor.include.whitelist
;suhosin.executor.include.blacklist
;suhosin.executor.func.whitelist
suhosin.executor.func.blacklist = ""
;suhosin.executor.eval.whitelist
suhosin.executor.eval.blacklist = ""
suhosin.executor.disable_eval = On
suhosin.executor.disable_emodifier = On
suhosin.executor.allow_symlink = Off

; Misc Options
suhosin.simulation = Off
suhosin.apc_bug_workaround = Off
suhosin.sql.bailout_on_error = On
;suhosin.sql.user_prefix
;suhosin.sql.user_postfix
suhosin.multiheader = On
suhosin.mail.protect = 2
;suhosin.memory_limit

; Transparent Encryption Options
suhosin.session.encrypt = On
suhosin.session.cryptkey = "INSERT RANDOM CRAP HERE"
suhosin.session.cryptua = On
suhosin.session.cryptdocroot = On
suhosin.session.cryptraddr = 2
suhosin.session.checkraddr = 2
suhosin.cookie.encrypt = On
suhosin.cookie.cryptkey = "INSERT RANDOM CRAP HERE"
suhosin.cookie.cryptua = On
suhosin.cookie.cryptdocroot = On
suhosin.cookie.cryptraddr = 2
suhosin.cookie.checkraddr = 2
;suhosin.cookie.cryptlist
;suhosin.cookie.plainlist

; Filtering Options
suhosin.filter.action = 402
suhosin.cookie.max_array_depth = 100
suhosin.cookie.max_array_index_length = 64
suhosin.cookie.max_name_length = 64
suhosin.cookie.max_totalname_length = 256
suhosin.cookie.max_value_length = 10000
suhosin.cookie.max_vars = 100
suhosin.cookie.disallow_nul = On
suhosin.get.max_array_depth = 50
suhosin.get.max_array_index_length = 64
suhosin.get.max_name_length = 64
suhosin.get.max_totalname_length = 256
suhosin.get.max_value_length = 512
suhosin.get.max_vars = 100
suhosin.get.disallow_nul = On
suhosin.post.max_array_depth = 100
suhosin.post.max_array_index_length = 64
suhosin.post.max_name_length = 64
suhosin.post.max_totalname_length = 256
suhosin.post.max_value_length = 50000000
suhosin.post.max_vars = 200
suhosin.post.disallow_nul = On
suhosin.request.max_array_depth = 100
suhosin.request.max_array_index_length = 64
suhosin.request.max_totalname_length = 256
suhosin.request.max_value_length = 65000
suhosin.request.max_vars = 200
suhosin.request.max_varname_length = 64
suhosin.request.disallow_nul = On
suhosin.upload.max_uploads = 25
suhosin.upload.disallow_elf = On
suhosin.upload.disallow_binary = Off
suhosin.upload.remove_binary = Off
;suhosin.upload.verification_script
suhosin.session.max_id_length = 128

Now head over to http://www.hardened-php.net/suhosin/configuration.html and tailor the configuration to suit your environment. Don’t forget to blacklist dangerous functions like apache_child_terminate, apache_setenv, define_syslog_variables, eval, exec, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode, exec, pipe, set_time_limit, popen, proc_open, parse_ini_file, show_source, mail, dl, ini_set, ini_alter, virtual, openlog, apc_add, apc_bin_dump, apc_bin_dumpfile, apc_bin_loadfile, apc_cache_info, apc_cas, apc_clear_cache, apc_compile_file, apc_dec, apc_define_constants, apc_delete_file, apc_delete, apc_exists, apc_fetch, apc_inc, apc_load_constants, apc_store, symlink and eval!

It seems Suhosin provides its own stack-smashing protection, potentially removing the need for the slow PIC (-fstack_protector_all) compile-time option. Until I get confirmation on this I’ll be using both just to be safe.