On Wed, Dec 06, 2006 at 09:40:20AM -0500, Chuck Okerstrom wrote:
> Hey All,
>
> I am attempting to use the hardened php5 pkg
> (php5-core-5.1.4p1-hardened) set and am seeing weird problems with
> mysql/php. It simply and quietly stops processing a script that performs
> moderately heavy SQL inserts. No error messages, no logs, nothing! Going
> back to the regular (unhardened) set completely solves the problem.
>
> Since there is little to no documentation (that I've been able to find)
> on the mysql to php integration, configuration, or logging that is
> specific to the hardened patch, I'm left with few options in
> troubleshooting the issue. What's frustrating is the lack of messages or
> errors. I know that I have at least some logging in place in that I've
> been able to generate a hphp error in my syslog by exceeding GET
> parameter values, but I'm getting nothing in the logs when the mysql
> problem occurs.
There's not enough documentation to be sure of anything, but I'm not
aware of the -hardened line doing strange things with MySQL.
It'd be nice to know exactly what happens. Does the httpd server stop
answering requests? Does it stop running this page? Or is the page in
fact run, but does it never return anything?
> The following is a synopsis of my system:
>
> OpenBSD 4.0 on amd64 with a custom kernel to support Raidframe.
>
> I'm using the binary packages
>
> PHP5 pkgs used:
> -------------------
> php5-core-5.1.4p1-hardened
> php5-curl-5.1.4-hardened
> php5-gd-5.1.4-hardened
> php5-mcrypt-5.1.4-hardened
> php5-mhash-5.1.4-hardened
> php5-mysql-5.1.4-hardened
> php5-soap-5.1.4-hardened
>
>
> hphp specific settings in PHP.ini
> ---------------------------------
> hphp.log.syslog = S_ALL
> hphp.log.syslog.priority = LOG_ALERT
> hphp.log.syslog.facility = LOG_USER
Can apache reach syslog (/var/www/dev/log?)?
> hphp.executor.max_depth = 8000
> hphp.request.max_vars = 2000
> hphp.request.max_varname_length = 64
> hphp.request.max_totalname_length = 256
> hphp.request.max_array_index_length = 64
> hphp.request.max_array_depth = 100
> hphp.request.max_value_length = 65000
> hphp.request.disallow_nul = 1
> hphp.cookie.max_vars = 100
> hphp.cookie.max_name_length = 64
> hphp.cookie.max_totalname_length = 256
> hphp.cookie.max_array_index_length = 64
> hphp.cookie.max_array_depth = 100
> hphp.cookie.max_value_length = 10000
> hphp.cookie.disallow_nul = 1
> hphp.get.max_vars = 100
> hphp.get.max_name_length = 64
> hphp.get.max_totalname_length = 256
> hphp.get.max_array_index_length = 64
> hphp.get.max_array_depth = 50
> hphp.get.max_value_length = 512
> hphp.get.disallow_nul = 1
> hphp.post.max_vars = 600
> hphp.post.max_name_length = 64
> hphp.post.max_totalname_length = 256
> hphp.post.max_array_index_length = 64
> hphp.post.max_array_depth = 100
> hphp.post.max_value_length = 65000
> hphp.post.disallow_nul = 1
> hphp.upload.max_uploads = 25
> hphp.upload.disallow_elf_files = On
Does the same thing happen when setting these to the defaults? Not that
PHP should just block, anyway.
> Other
> -----------------
> Added �kern.maxfiles=4096� to /etc/sysctl.conf
> Added �--open-files-limit=2048 to /etc/mysql.server exec line
By itself, that'll not do too much. You'll want to look at
/etc/login.conf, too. However, this shouldn't 'hang' anything.
Joachim
