[update] www/pecl-pledge

2023-11-22 Thread Tom Van Looy 
Hi

Can someone commit this update for www/pecl-pledge?
The new package adds support for ini settings, and there are new docs.

Thanks!

diff is attached
diff --git www/pecl-pledge/Makefile www/pecl-pledge/Makefile
index 9b7ec15407e..0fb8563c295 100644
--- www/pecl-pledge/Makefile
+++ www/pecl-pledge/Makefile
@@ -1,6 +1,6 @@
 COMMENT=		PHP wrapper for pledge(2) and unveil(2)
 
-DISTNAME=		pledge-2.0.3
+DISTNAME=		pledge-2.1.2
 
 CATEGORIES=		www
 
diff --git www/pecl-pledge/distinfo www/pecl-pledge/distinfo
index 1c985c70cca..f9513891335 100644
--- www/pecl-pledge/distinfo
+++ www/pecl-pledge/distinfo
@@ -1,2 +1,2 @@
-SHA256 (pledge-2.0.3.tgz) = muc1oQwq5wh5AsShDjD34M+MU4FKmJJP8tu1moGXo+0=
-SIZE (pledge-2.0.3.tgz) = 6855
+SHA256 (pledge-2.1.2.tgz) = +X4x0AviCZn03jp9F39BITj/AsF/9URvDN7j2dHUwY8=
+SIZE (pledge-2.1.2.tgz) = 8921
diff --git www/pecl-pledge/pkg/README www/pecl-pledge/pkg/README
index 04ff2caf29b..aa443e18b1e 100644
--- www/pecl-pledge/pkg/README
+++ www/pecl-pledge/pkg/README
@@ -34,6 +34,8 @@ If PHP runs with mod_php, using pledge/unveil impacts an entire Apache child
 process. If pledge/unveil is used in php_fpm, it will impact the entire process
 for the whole lifetime of the process, not just one request.
 
+You might want to set pm.max_requests = 1 in php_fpm config.
+
 Architectural tips
 ==
 
@@ -82,3 +84,134 @@ pass out proto tcp to $some_rest_api port 443 user your_fpm_user
 But again, in the example above network calls can be avoided in the web SAPI if
 mysql runs on a domain socket and work involving API's is scheduled and
 processed by a CLI job instead. You can use this technique for CLI jobs as well.
+
+Example configuration
+=
+
+You can set promises and unveils in your PHP-FPM config.
+
+An simplified httpd example /etc/httpd.conf:
+
+chroot "/var/www"
+
+server "example.com" {
+listen on * port 80
+root "/htdocs/public"
+directory index "index.php"
+
+# Assets not served by PHP
+location match "\.(css|gif|jpg|png|js)$" {
+pass
+}
+
+location match "/specific-path-1" {
+request rewrite "/index.php/%1"
+fastcgi socket "/run/php-fpm-specific-path-1.sock"
+}
+
+location match "/specific-path-2" {
+request rewrite "/index.php/%1"
+fastcgi socket "/run/php-fpm-specific-path-2.sock"
+}
+
+# The default PHP handler
+location match "^/(.+)$" {
+request rewrite "/index.php/%1"
+fastcgi socket "/run/php-fpm.sock"
+}
+}
+
+With a simplified PHP-FPM /etc/php-fpm.conf:
+
+[global]
+include=/etc/php-fpm.d/*.conf
+
+[specific-path-1]
+user = www
+group = www
+listen.owner = www
+listen.group = www
+listen.mode = 0660
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+chroot = /var/www
+pm.max_requests = 1
+
+listen = /var/www/run/php-fpm-specific-path-1.sock
+php_admin_value[openbsd.pledge_promises] = stdio rpath wpath cpath fattr flock unveil
+php_admin_value[openbsd.unveil] = /:r,/tmp:rwc,/htdocs/var/log:rwc,/htdocs/var/cache:rwc
+
+[specific-path-2]
+user = www
+group = www
+listen.owner = www
+listen.group = www
+listen.mode = 0660
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+chroot = /var/www
+pm.max_requests = 1
+
+listen = /var/www/run/php-fpm-specific-path-2.sock
+php_admin_value[openbsd.pledge_promises] = stdio rpath wpath cpath fattr flock unveil
+php_admin_value[openbsd.unveil] = /:r,/tmp:rwc,/htdocs/var/log:rwc,/htdocs/var/cache:rwc
+
+[www]
+user = www
+group = www
+listen.owner = www
+listen.group = www
+listen.mode = 0660
+
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+chroot = /var/www
+pm.max_requests = 1
+
+listen = /var/www/run/php-fpm.sock
+php_admin_value[openbsd.pledge_promises] = stdio rpath wpath cpath fattr flock unveil inet
+php_admin_value[openbsd.unveil] = /:r,/tmp:rwc,/htdocs/var/log:rwc,/htdocs/var/cache:rwc
+
+Don't forget to call `unveil(null, null);` in your PHP userland to disallow future unveil calls, or specify null:null as
+the last argument eg:
+
+```
+php_admin_value[openbsd.unveil] = /:r,/tmp:rwc,/htdocs/var/log:rwc,/htdocs/var/cache:rwc,null:null
+```
+
+From the CLI, you can also provide promises or unveils:
+
+$ php \
+-dopenbsd.unveil='/var/empty:r,null:null' \
+-dopenbsd.pledge_promises='stdio dns' \
+-r 'echo gethostbyname("openbsd.org");'
+199.185.178.80
+
+$ php \
+-dopenbsd.unveil='/var/empty:r,null:null' \
+-dopenbsd.pledge_promises='stdio error' \
+-r 'echo

UPDATE: www/pecl-pledge

2022-10-10 Thread Tom Van Looy 
Hi

Here is an update to pecl-pledge 2.0.3. Release notes:
https://pecl.php.net/package-changelog.php?package=pledge=2.0.3

Index: www/pecl-pledge/Makefile
===
RCS file: /cvs/ports/www/pecl-pledge/Makefile,v
retrieving revision 1.10
diff -u -p -u -r1.10 Makefile
--- www/pecl-pledge/Makefile 23 Mar 2022 23:58:30 - 1.10
+++ www/pecl-pledge/Makefile 10 Oct 2022 08:36:59 -
@@ -1,7 +1,7 @@
 COMMENT= PHP wrapper for pledge(2) and unveil(2)

-DISTNAME= pledge-2.0.2
-REVISION= 4
+DISTNAME= pledge-2.0.3
+REVISION= 0

 CATEGORIES= www

Index: www/pecl-pledge/distinfo
===
RCS file: /cvs/ports/www/pecl-pledge/distinfo,v
retrieving revision 1.1.1.1
diff -u -p -u -r1.1.1.1 distinfo
--- www/pecl-pledge/distinfo 20 Nov 2018 10:28:52 - 1.1.1.1
+++ www/pecl-pledge/distinfo 10 Oct 2022 08:36:59 -
@@ -1,2 +1,2 @@
-SHA256 (pledge-2.0.2.tgz) = sIhZLgfu8OOrusMPKVuwL5TPD8wIbLQUf20JeG3oKzs=
-SIZE (pledge-2.0.2.tgz) = 6211
+SHA256 (pledge-2.0.3.tgz) = muc1oQwq5wh5AsShDjD34M+MU4FKmJJP8tu1moGXo+0=
+SIZE (pledge-2.0.3.tgz) = 6855
Index: www/pecl-pledge/pkg/PLIST
===
RCS file: /cvs/ports/www/pecl-pledge/pkg/PLIST,v
retrieving revision 1.4
diff -u -p -u -r1.4 PLIST
--- www/pecl-pledge/pkg/PLIST 11 Mar 2022 20:10:41 - 1.4
+++ www/pecl-pledge/pkg/PLIST 10 Oct 2022 08:36:59 -
@@ -1,5 +1,6 @@
-${MODPECL_DEFAULTV}@pkgpath www/pecl-pledge,php72
-${MODPECL_DEFAULTV}@pkgpath www/pecl-pledge,php73
+${MODPECL_DEFAULTV}@pkgpath www/pecl-pledge,php74
+${MODPECL_DEFAULTV}@pkgpath www/pecl-pledge,php80
+${MODPECL_DEFAULTV}@pkgpath www/pecl-pledge,php81
 @extra ${SYSCONFDIR}/php-${MODPHP_VERSION}/${MODULE_NAME}.ini
 lib/php-${MODPHP_VERSION}/modules/${MODULE_NAME}.so
 share/doc/pkg-readmes/${PKGSTEM}

Re: NEW: security/pecl-pledge

2018-11-19 Thread Tom Van Looy 
Thanks for you patience Stuart.

I see that the extension is only compatible with >= 7.2 because the
ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX changed. I added FLAVOR=php72 in
the port.

The new version with this fix and README is attached.


pecl-pledge.tgz
Description: application/compressed-tar

Re: NEW: security/pecl-pledge

2018-11-18 Thread Tom Van Looy 
I fixed a few typo's. The content of DESC is below (and in attachment the
full port).

This PHP extension adds support for OpenBSD's pledge and unveil system
calls.

The PHP userland functions pledge() and unveil() are wrappers around the
OpenBSD
system calls. These functions are a powerful mechanism to defend the PHP
runtime and userland against some common exploits.

The theory:
---

The pledge(2) system call allows a program to restrict the types of
operations
the program can do after that point. Unlike other similar systems, pledge is
specifically designed for programs that need to use a wide variety of
operations
on initialization, but a fewer number after initialization (when user input
will
be accepted).

All pledge(2) promises are documented in the pledge(2) manual page.

The unveil(2) system call restricts the filesytem view. The first call to
unveil(2) restricts the view. Subsequent calls can open it more. To prevent
further unveiling, call unveil with no parameters or drop the unveil pledge
if
the program is pledged.

Web SAPI usage:
---

Be careful what to pledge/unveil! Using this module can cause a situation of
self-denial-of-service.

If PHP runs with mod_php, using pledge/unveil impacts an entire Apache child
process. If pledge/unveil is used in php_fpm, it will impact the entire
process
for the whole lifetime of the process, not just one request.

Architectural tips:
---

Make sure you don't load extensions that you don't need in the web SAPI. For
example: PHAR, PCNTL, etc. can be useful for hackers, don't load them.

For performance reasons it is a good idea to do as little work as possible
in
the web SAPI. Jobs can often be scheduled in a queue and run asynchronously
from
the CLI SAPI. For example processing and resizing uploaded images does not
need
to run in the web SAPI. Jobs that need to do calls to an external service
can
fail and should implement retry mechanisms. These can slow down the web
SAPI.

By using the asynchronous approach, the web SAPI loses functionality.
Extensions
like PHAR, PCNTL, GD, imagick, curl, ... can be unloaded. Less lines of code
become accessible in the web facing part of the website and the attack
surface
gets smaller.

The goal is gaining understanding of exactly what functionality is needed by
each use-case, so each use-case can be isolated. Pledge/unveil can then be
implemented specifically for each use-case.

A php_fpm process can implement pledge/unveil in a safe manner when the
pm.max_requests configuration flag is set to 1. This means the process will
respawn after each request. The default, and recommended, value for this
flag
is 0 for endless request processing. Because pledge/unveil affects the
process
and not just the request, different fpm pools can be configured for each
type of
work. Especially with unveil the developer can make sure system binaries are
unavailable, jobs that don't have to write the filesystem will not be able
to do
so, jobs that don't have to read user uploaded files will not be able to do
so,
...

In the web SAPI, avoid getting killed in subsequent requests by checking if
a
certain file or directory is still available and only call unveil if it is.
Eg:

if (is_file('/etc')) {
unveil(__DIR__, 'r');
}

Limiting network calls is not possible with pledge on a destination basis.
But
a workaround is to use pf to enforce rules on your fpm users, eg:

block out proto {tcp udp} user your_fpm_user
pass out proto tcp to $mysql_db port 3306 user your_fpm_user
pass out proto tcp to $some_rest_api port 443 user your_fpm_user

But again, in the example above network calls can be avoided in the web
SAPI if
mysql runs on a domain socket and work involving API's is scheduled and
processed by a CLI job instead.


pecl-pledge.tgz
Description: application/compressed-tar

Re: NEW: security/pecl-pledge

2018-11-17 Thread Tom Van Looy 
On Wed, Nov 14, 2018 at 12:19 PM Stuart Henderson 
wrote:

> I'd probably go for www/ for category,
> @conflict isn't needed
>

These are fixed.

I would like to have some write-up (in DESCR probably) explaining what
> this might be useful for
>

I added a few lines that should present some ideas about how to use the
module and warn users for the the dangers.

Any feedback on that one?

Tom


pecl-pledge.tgz
Description: application/compressed-tar

Re: NEW: security/pecl-pledge

2018-11-14 Thread Tom Van Looy 
Attached is a port for pecl-pledge. This PHP extension adds support for
OpenBSD's pledge and unveil system calls. I wrote and maintain that PHP
extension.

It works for PHP 7.0, 7.1 and 7.2. Can we add this to the ports tree?

Docs are on the homepage of the project.

Kind regards,

Tom Van Looy


pecl-pledge.tgz
Description: application/compressed-tar

Re: NEW: security/pecl-pledge

2018-10-13 Thread Tom Van Looy 
Updated the extension to 2.0.2 (reflection info is much better now)

On Fri, Oct 12, 2018 at 11:59 PM Tom Van Looy  wrote:

> Updated the extension to 2.0.1.
>
> On Thu, Oct 4, 2018 at 9:02 PM Tom Van Looy  wrote:
>
>> Hi
>>
>> Attached is a port for pecl-pledge. This PHP extension adds support for
>> OpenBSD's pledge and unveil system calls. I wrote and maintain that PHP
>> extension.
>>
>> It works for PHP 7.0, 7.1 and 7.2.
>>
>> Docs are on the homepage of the project.
>>
>> Kind regards,
>>
>> Tom Van Looy
>>
>


pecl-pledge.tgz
Description: application/compressed-tar

Re: NEW: security/pecl-pledge

2018-10-12 Thread Tom Van Looy 
Updated the extension to 2.0.1.

On Thu, Oct 4, 2018 at 9:02 PM Tom Van Looy  wrote:

> Hi
>
> Attached is a port for pecl-pledge. This PHP extension adds support for
> OpenBSD's pledge and unveil system calls. I wrote and maintain that PHP
> extension.
>
> It works for PHP 7.0, 7.1 and 7.2.
>
> Docs are on the homepage of the project.
>
> Kind regards,
>
> Tom Van Looy
>


pecl-pledge.tgz
Description: application/compressed-tar

NEW: security/pecl-pledge

2018-10-04 Thread Tom Van Looy 
Hi

Attached is a port for pecl-pledge. This PHP extension adds support for
OpenBSD's pledge and unveil system calls. I wrote and maintain that PHP
extension.

It works for PHP 7.0, 7.1 and 7.2.

Docs are on the homepage of the project.

Kind regards,

Tom Van Looy


pecl-pledge.tgz
Description: application/compressed-tar

[FIX] varnish pexp doesn't match

2018-02-03 Thread Tom Van Looy 
Hi

I was not able to stop varnish on my machine and noticed that the pexp
didn't match. This my ps output:

_varnish 10665  1.2  4.2 24280 88380 ??  S 10:21PM0:00.46 varnishd:
Varnish-Child -i x.home.ctors.net (varnishd)
_varnish 21965  0.0  0.1  1608  2240 ??  Ss10:21PM0:00.01 varnishd:
Varnish-Mgt -i x.home.ctors.net (varnishd)

So, here is a fix for it:

Index: www/varnish//pkg/varnishd.rc
===
RCS file: /cvs/ports/www/varnish/pkg/varnishd.rc,v
retrieving revision 1.4
diff -u -p -u -r1.4 varnishd.rc
--- www/varnish//pkg/varnishd.rc11 Jan 2018 19:27:12 -  1.4
+++ www/varnish//pkg/varnishd.rc3 Feb 2018 22:52:16 -
@@ -7,7 +7,7 @@ daemon_flags="-j unix,user=_varnish,ccgr

 . /etc/rc.d/rc.subr

-pexp="varnishd: Varnish-Mgr $(hostname)"
+pexp="varnishd: Varnish-Mgt -i $(hostname)"
 rc_reload=NO

 rc_cmd $1

Re: UPDATE: php revamp

2017-11-04 Thread Tom Van Looy 
On Sat, Nov 4, 2017 at 12:13 PM, Marc Espie  wrote:

> Welcome to the world of actual distributions.  We are supposed to
> be the expert and to know better than the end user.
>
> There's nothing that prevents you from adding this kind of rationale
> to the actual package DESCR.
>
> One strong point of OpenBSD is that we actuall make this kind of
> decision.  Choosing best paths for software components, so that the
> end-user doesn't have to worry too much.
>
> I've never been a fan of debian where they split stuff into so
> many very small packages that you never know what to install.
>


If you are a user, things like Drupal, Symfony, WordPress, Magento, ...
have a requirements page that tells you what extensions you have to enable.
It's up to the developers of those systems to tell you what the
requirements are.

If you are a PHP developer writing actual software, in my opinion, you
should learn what the extensions are for. There is good documentation
available on php.net for developers.


Now, think like an end-user.  Assume they want to use php. What do
> they do ?  They add the main package. They try to run something.
> They discover one dependency is missing. They add that dependency.
> They do it another time...
>
> How many times are they going to do it ?
>
> The safe bet is that they usually give up after the 4th dependency,
> and just add *everything* that has php in it.
>
> Congrats, you just gave them enough rope so that they add fileinfo
> by default.
>


Let's make a comparison with let's say PF. Users try to run something, they
open a port, open another port, ... so how many ports do they open until
they just allow any to any? If users are lazy there is not much you can do
about it. What solution should OpenBSD provide for that? A default ruleset
that assumes they run smtp, serve http, use skype, etc?

No offense, I'm tying to understand your point of view.

Re: UPDATE: php revamp

2017-11-04 Thread Tom Van Looy 
On Fri, Nov 3, 2017 at 9:56 PM, Marc Espie  wrote:

> run-time depends can be a bitch. The stuff still packages, and stays that
> way until somebody notices an issue... which often happens a few months
> after the commits, and sometimes even after release.
>
> Does php complain as soon as you try to start the offending package, or
> only when you activate some functionality that depends on the extra
> plugin ?
>

It only starts complaining when you use a function that isn't there. So
yeah that would lead to possible trouble.

What if we enable the extensions by default when you install them? Given
that you install them, you probably want them enabled anyway. And that
would be a solution for this problem.

Re: UPDATE: php revamp

2017-11-03 Thread Tom Van Looy 
On Thu, Nov 2, 2017 at 10:59 PM, Antoine Jacoutot 
wrote:

> On Thu, Nov 02, 2017 at 09:30:34PM +, Stuart Henderson wrote:
> > It's a matter of opinion. I will cope but I really don't like the
> FreeBSD-style
> > micro splitting.
>
> +1
>

I don't see that as a problem but I get the point. I don't mind having all
extensions installed by default, like opcache, curl, readline, intl, etc.
are often used. The thing I like about the new approach is that they are
loadable modules and disabled by default. Like Martijn says, it doesn't
make sense to have WDDX, readline etc. compiled in.

I do like the fact that you have to pick an SAPI now.

Re: UPDATE: php revamp

2017-11-02 Thread Tom Van Looy 
Hi

Martijn did a very good job with this. This makes OpenBSD's PHP setup
incredibly better. I tested yesterdays patch and it works fine (I had
trouble with the other ones). I built everything and tested 7.1, 7.0, 5.6
with cli and fpm + extensions (opcache, curl, intl, etc.).

So, looks good. I hope it gets committed soon. Thanks Marijn!

Tom Van Looy

Remove www/zendframework

2017-07-29 Thread Tom Van Looy 
Hi

The port www/zendframework should be removed.

It is supplying old version 1.12.9 and was not touched in the past years.
The latest in the 1.12.* series is 1.12.20 which is EOL since 28 sep 2016 (
https://framework.zend.com/blog/2016-06-28-zf1-eol.html). Nothing in the
ports tree depends on www/zendframework. Newer versions of Zend Framework
(2 and 3) can be installed with composer.

Kind regards,

Tom Van Looy

Re: Thank you for making p2k9 possible!

2009-10-11 Thread Tom Van Looy 
 p2k9 (the ports hackathon in Budapest) is on since Friday. People
 are working on different things like GNOME, GCC4, BluRay support or
 even ACPI.

 I would like to thank everyone who donated money to the project because
 the individual donors made it possible to organize this event.
 So ... BIG THANKS GOES TO OUR USERS, to people supporting the project
 even at these times.

 I'd also like to thank NIIF and Sun Microsystems Hungary for lending
 us a nice hackroom and hardware for the hackathon.

And don't forget yourself! Big thanks to you dev guys for being in
Budapest figuring out new cool things to add to OpenBSD for us users.