[update] www/pecl-pledge
Hi Can someone commit this update for www/pecl-pledge? The new package adds support for ini settings, and there are new docs. Thanks! diff is attached diff --git www/pecl-pledge/Makefile www/pecl-pledge/Makefile index 9b7ec15407e..0fb8563c295 100644 --- www/pecl-pledge/Makefile +++ www/pecl-pledge/Makefile @@ -1,6 +1,6 @@ COMMENT= PHP wrapper for pledge(2) and unveil(2) -DISTNAME= pledge-2.0.3 +DISTNAME= pledge-2.1.2 CATEGORIES= www diff --git www/pecl-pledge/distinfo www/pecl-pledge/distinfo index 1c985c70cca..f9513891335 100644 --- www/pecl-pledge/distinfo +++ www/pecl-pledge/distinfo @@ -1,2 +1,2 @@ -SHA256 (pledge-2.0.3.tgz) = muc1oQwq5wh5AsShDjD34M+MU4FKmJJP8tu1moGXo+0= -SIZE (pledge-2.0.3.tgz) = 6855 +SHA256 (pledge-2.1.2.tgz) = +X4x0AviCZn03jp9F39BITj/AsF/9URvDN7j2dHUwY8= +SIZE (pledge-2.1.2.tgz) = 8921 diff --git www/pecl-pledge/pkg/README www/pecl-pledge/pkg/README index 04ff2caf29b..aa443e18b1e 100644 --- www/pecl-pledge/pkg/README +++ www/pecl-pledge/pkg/README @@ -34,6 +34,8 @@ If PHP runs with mod_php, using pledge/unveil impacts an entire Apache child process. If pledge/unveil is used in php_fpm, it will impact the entire process for the whole lifetime of the process, not just one request. +You might want to set pm.max_requests = 1 in php_fpm config. + Architectural tips == @@ -82,3 +84,134 @@ pass out proto tcp to $some_rest_api port 443 user your_fpm_user But again, in the example above network calls can be avoided in the web SAPI if mysql runs on a domain socket and work involving API's is scheduled and processed by a CLI job instead. You can use this technique for CLI jobs as well. + +Example configuration += + +You can set promises and unveils in your PHP-FPM config. + +An simplified httpd example /etc/httpd.conf: + +chroot "/var/www" + +server "example.com" { +listen on * port 80 +root "/htdocs/public" +directory index "index.php" + +# Assets not served by PHP +location match "\.(css|gif|jpg|png|js)$" { +pass +} + +location match "/specific-path-1" { +request rewrite "/index.php/%1" +fastcgi socket "/run/php-fpm-specific-path-1.sock" +} + +location match "/specific-path-2" { +request rewrite "/index.php/%1" +fastcgi socket "/run/php-fpm-specific-path-2.sock" +} + +# The default PHP handler +location match "^/(.+)$" { +request rewrite "/index.php/%1" +fastcgi socket "/run/php-fpm.sock" +} +} + +With a simplified PHP-FPM /etc/php-fpm.conf: + +[global] +include=/etc/php-fpm.d/*.conf + +[specific-path-1] +user = www +group = www +listen.owner = www +listen.group = www +listen.mode = 0660 + +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 + +chroot = /var/www +pm.max_requests = 1 + +listen = /var/www/run/php-fpm-specific-path-1.sock +php_admin_value[openbsd.pledge_promises] = stdio rpath wpath cpath fattr flock unveil +php_admin_value[openbsd.unveil] = /:r,/tmp:rwc,/htdocs/var/log:rwc,/htdocs/var/cache:rwc + +[specific-path-2] +user = www +group = www +listen.owner = www +listen.group = www +listen.mode = 0660 + +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 + +chroot = /var/www +pm.max_requests = 1 + +listen = /var/www/run/php-fpm-specific-path-2.sock +php_admin_value[openbsd.pledge_promises] = stdio rpath wpath cpath fattr flock unveil +php_admin_value[openbsd.unveil] = /:r,/tmp:rwc,/htdocs/var/log:rwc,/htdocs/var/cache:rwc + +[www] +user = www +group = www +listen.owner = www +listen.group = www +listen.mode = 0660 + +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 + +chroot = /var/www +pm.max_requests = 1 + +listen = /var/www/run/php-fpm.sock +php_admin_value[openbsd.pledge_promises] = stdio rpath wpath cpath fattr flock unveil inet +php_admin_value[openbsd.unveil] = /:r,/tmp:rwc,/htdocs/var/log:rwc,/htdocs/var/cache:rwc + +Don't forget to call `unveil(null, null);` in your PHP userland to disallow future unveil calls, or specify null:null as +the last argument eg: + +``` +php_admin_value[openbsd.unveil] = /:r,/tmp:rwc,/htdocs/var/log:rwc,/htdocs/var/cache:rwc,null:null +``` + +From the CLI, you can also provide promises or unveils: + +$ php \ +-dopenbsd.unveil='/var/empty:r,null:null' \ +-dopenbsd.pledge_promises='stdio dns' \ +-r 'echo gethostbyname("openbsd.org");' +199.185.178.80 + +$ php \ +-dopenbsd.unveil='/var/empty:r,null:null' \ +-dopenbsd.pledge_promises='stdio error' \ +-r 'echo
UPDATE: www/pecl-pledge
Hi Here is an update to pecl-pledge 2.0.3. Release notes: https://pecl.php.net/package-changelog.php?package=pledge=2.0.3 Index: www/pecl-pledge/Makefile === RCS file: /cvs/ports/www/pecl-pledge/Makefile,v retrieving revision 1.10 diff -u -p -u -r1.10 Makefile --- www/pecl-pledge/Makefile 23 Mar 2022 23:58:30 - 1.10 +++ www/pecl-pledge/Makefile 10 Oct 2022 08:36:59 - @@ -1,7 +1,7 @@ COMMENT= PHP wrapper for pledge(2) and unveil(2) -DISTNAME= pledge-2.0.2 -REVISION= 4 +DISTNAME= pledge-2.0.3 +REVISION= 0 CATEGORIES= www Index: www/pecl-pledge/distinfo === RCS file: /cvs/ports/www/pecl-pledge/distinfo,v retrieving revision 1.1.1.1 diff -u -p -u -r1.1.1.1 distinfo --- www/pecl-pledge/distinfo 20 Nov 2018 10:28:52 - 1.1.1.1 +++ www/pecl-pledge/distinfo 10 Oct 2022 08:36:59 - @@ -1,2 +1,2 @@ -SHA256 (pledge-2.0.2.tgz) = sIhZLgfu8OOrusMPKVuwL5TPD8wIbLQUf20JeG3oKzs= -SIZE (pledge-2.0.2.tgz) = 6211 +SHA256 (pledge-2.0.3.tgz) = muc1oQwq5wh5AsShDjD34M+MU4FKmJJP8tu1moGXo+0= +SIZE (pledge-2.0.3.tgz) = 6855 Index: www/pecl-pledge/pkg/PLIST === RCS file: /cvs/ports/www/pecl-pledge/pkg/PLIST,v retrieving revision 1.4 diff -u -p -u -r1.4 PLIST --- www/pecl-pledge/pkg/PLIST 11 Mar 2022 20:10:41 - 1.4 +++ www/pecl-pledge/pkg/PLIST 10 Oct 2022 08:36:59 - @@ -1,5 +1,6 @@ -${MODPECL_DEFAULTV}@pkgpath www/pecl-pledge,php72 -${MODPECL_DEFAULTV}@pkgpath www/pecl-pledge,php73 +${MODPECL_DEFAULTV}@pkgpath www/pecl-pledge,php74 +${MODPECL_DEFAULTV}@pkgpath www/pecl-pledge,php80 +${MODPECL_DEFAULTV}@pkgpath www/pecl-pledge,php81 @extra ${SYSCONFDIR}/php-${MODPHP_VERSION}/${MODULE_NAME}.ini lib/php-${MODPHP_VERSION}/modules/${MODULE_NAME}.so share/doc/pkg-readmes/${PKGSTEM}
Re: NEW: security/pecl-pledge
Thanks for you patience Stuart. I see that the extension is only compatible with >= 7.2 because the ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX changed. I added FLAVOR=php72 in the port. The new version with this fix and README is attached. pecl-pledge.tgz Description: application/compressed-tar
Re: NEW: security/pecl-pledge
I fixed a few typo's. The content of DESC is below (and in attachment the full port). This PHP extension adds support for OpenBSD's pledge and unveil system calls. The PHP userland functions pledge() and unveil() are wrappers around the OpenBSD system calls. These functions are a powerful mechanism to defend the PHP runtime and userland against some common exploits. The theory: --- The pledge(2) system call allows a program to restrict the types of operations the program can do after that point. Unlike other similar systems, pledge is specifically designed for programs that need to use a wide variety of operations on initialization, but a fewer number after initialization (when user input will be accepted). All pledge(2) promises are documented in the pledge(2) manual page. The unveil(2) system call restricts the filesytem view. The first call to unveil(2) restricts the view. Subsequent calls can open it more. To prevent further unveiling, call unveil with no parameters or drop the unveil pledge if the program is pledged. Web SAPI usage: --- Be careful what to pledge/unveil! Using this module can cause a situation of self-denial-of-service. If PHP runs with mod_php, using pledge/unveil impacts an entire Apache child process. If pledge/unveil is used in php_fpm, it will impact the entire process for the whole lifetime of the process, not just one request. Architectural tips: --- Make sure you don't load extensions that you don't need in the web SAPI. For example: PHAR, PCNTL, etc. can be useful for hackers, don't load them. For performance reasons it is a good idea to do as little work as possible in the web SAPI. Jobs can often be scheduled in a queue and run asynchronously from the CLI SAPI. For example processing and resizing uploaded images does not need to run in the web SAPI. Jobs that need to do calls to an external service can fail and should implement retry mechanisms. These can slow down the web SAPI. By using the asynchronous approach, the web SAPI loses functionality. Extensions like PHAR, PCNTL, GD, imagick, curl, ... can be unloaded. Less lines of code become accessible in the web facing part of the website and the attack surface gets smaller. The goal is gaining understanding of exactly what functionality is needed by each use-case, so each use-case can be isolated. Pledge/unveil can then be implemented specifically for each use-case. A php_fpm process can implement pledge/unveil in a safe manner when the pm.max_requests configuration flag is set to 1. This means the process will respawn after each request. The default, and recommended, value for this flag is 0 for endless request processing. Because pledge/unveil affects the process and not just the request, different fpm pools can be configured for each type of work. Especially with unveil the developer can make sure system binaries are unavailable, jobs that don't have to write the filesystem will not be able to do so, jobs that don't have to read user uploaded files will not be able to do so, ... In the web SAPI, avoid getting killed in subsequent requests by checking if a certain file or directory is still available and only call unveil if it is. Eg: if (is_file('/etc')) { unveil(__DIR__, 'r'); } Limiting network calls is not possible with pledge on a destination basis. But a workaround is to use pf to enforce rules on your fpm users, eg: block out proto {tcp udp} user your_fpm_user pass out proto tcp to $mysql_db port 3306 user your_fpm_user pass out proto tcp to $some_rest_api port 443 user your_fpm_user But again, in the example above network calls can be avoided in the web SAPI if mysql runs on a domain socket and work involving API's is scheduled and processed by a CLI job instead. pecl-pledge.tgz Description: application/compressed-tar
Re: NEW: security/pecl-pledge
On Wed, Nov 14, 2018 at 12:19 PM Stuart Henderson wrote: > I'd probably go for www/ for category, > @conflict isn't needed > These are fixed. I would like to have some write-up (in DESCR probably) explaining what > this might be useful for > I added a few lines that should present some ideas about how to use the module and warn users for the the dangers. Any feedback on that one? Tom pecl-pledge.tgz Description: application/compressed-tar
Re: NEW: security/pecl-pledge
Attached is a port for pecl-pledge. This PHP extension adds support for OpenBSD's pledge and unveil system calls. I wrote and maintain that PHP extension. It works for PHP 7.0, 7.1 and 7.2. Can we add this to the ports tree? Docs are on the homepage of the project. Kind regards, Tom Van Looy pecl-pledge.tgz Description: application/compressed-tar
Re: NEW: security/pecl-pledge
Updated the extension to 2.0.2 (reflection info is much better now) On Fri, Oct 12, 2018 at 11:59 PM Tom Van Looy wrote: > Updated the extension to 2.0.1. > > On Thu, Oct 4, 2018 at 9:02 PM Tom Van Looy wrote: > >> Hi >> >> Attached is a port for pecl-pledge. This PHP extension adds support for >> OpenBSD's pledge and unveil system calls. I wrote and maintain that PHP >> extension. >> >> It works for PHP 7.0, 7.1 and 7.2. >> >> Docs are on the homepage of the project. >> >> Kind regards, >> >> Tom Van Looy >> > pecl-pledge.tgz Description: application/compressed-tar
Re: NEW: security/pecl-pledge
Updated the extension to 2.0.1. On Thu, Oct 4, 2018 at 9:02 PM Tom Van Looy wrote: > Hi > > Attached is a port for pecl-pledge. This PHP extension adds support for > OpenBSD's pledge and unveil system calls. I wrote and maintain that PHP > extension. > > It works for PHP 7.0, 7.1 and 7.2. > > Docs are on the homepage of the project. > > Kind regards, > > Tom Van Looy > pecl-pledge.tgz Description: application/compressed-tar
NEW: security/pecl-pledge
Hi Attached is a port for pecl-pledge. This PHP extension adds support for OpenBSD's pledge and unveil system calls. I wrote and maintain that PHP extension. It works for PHP 7.0, 7.1 and 7.2. Docs are on the homepage of the project. Kind regards, Tom Van Looy pecl-pledge.tgz Description: application/compressed-tar
[FIX] varnish pexp doesn't match
Hi I was not able to stop varnish on my machine and noticed that the pexp didn't match. This my ps output: _varnish 10665 1.2 4.2 24280 88380 ?? S 10:21PM0:00.46 varnishd: Varnish-Child -i x.home.ctors.net (varnishd) _varnish 21965 0.0 0.1 1608 2240 ?? Ss10:21PM0:00.01 varnishd: Varnish-Mgt -i x.home.ctors.net (varnishd) So, here is a fix for it: Index: www/varnish//pkg/varnishd.rc === RCS file: /cvs/ports/www/varnish/pkg/varnishd.rc,v retrieving revision 1.4 diff -u -p -u -r1.4 varnishd.rc --- www/varnish//pkg/varnishd.rc11 Jan 2018 19:27:12 - 1.4 +++ www/varnish//pkg/varnishd.rc3 Feb 2018 22:52:16 - @@ -7,7 +7,7 @@ daemon_flags="-j unix,user=_varnish,ccgr . /etc/rc.d/rc.subr -pexp="varnishd: Varnish-Mgr $(hostname)" +pexp="varnishd: Varnish-Mgt -i $(hostname)" rc_reload=NO rc_cmd $1
Re: UPDATE: php revamp
On Sat, Nov 4, 2017 at 12:13 PM, Marc Espiewrote: > Welcome to the world of actual distributions. We are supposed to > be the expert and to know better than the end user. > > There's nothing that prevents you from adding this kind of rationale > to the actual package DESCR. > > One strong point of OpenBSD is that we actuall make this kind of > decision. Choosing best paths for software components, so that the > end-user doesn't have to worry too much. > > I've never been a fan of debian where they split stuff into so > many very small packages that you never know what to install. > If you are a user, things like Drupal, Symfony, WordPress, Magento, ... have a requirements page that tells you what extensions you have to enable. It's up to the developers of those systems to tell you what the requirements are. If you are a PHP developer writing actual software, in my opinion, you should learn what the extensions are for. There is good documentation available on php.net for developers. Now, think like an end-user. Assume they want to use php. What do > they do ? They add the main package. They try to run something. > They discover one dependency is missing. They add that dependency. > They do it another time... > > How many times are they going to do it ? > > The safe bet is that they usually give up after the 4th dependency, > and just add *everything* that has php in it. > > Congrats, you just gave them enough rope so that they add fileinfo > by default. > Let's make a comparison with let's say PF. Users try to run something, they open a port, open another port, ... so how many ports do they open until they just allow any to any? If users are lazy there is not much you can do about it. What solution should OpenBSD provide for that? A default ruleset that assumes they run smtp, serve http, use skype, etc? No offense, I'm tying to understand your point of view.
Re: UPDATE: php revamp
On Fri, Nov 3, 2017 at 9:56 PM, Marc Espiewrote: > run-time depends can be a bitch. The stuff still packages, and stays that > way until somebody notices an issue... which often happens a few months > after the commits, and sometimes even after release. > > Does php complain as soon as you try to start the offending package, or > only when you activate some functionality that depends on the extra > plugin ? > It only starts complaining when you use a function that isn't there. So yeah that would lead to possible trouble. What if we enable the extensions by default when you install them? Given that you install them, you probably want them enabled anyway. And that would be a solution for this problem.
Re: UPDATE: php revamp
On Thu, Nov 2, 2017 at 10:59 PM, Antoine Jacoutotwrote: > On Thu, Nov 02, 2017 at 09:30:34PM +, Stuart Henderson wrote: > > It's a matter of opinion. I will cope but I really don't like the > FreeBSD-style > > micro splitting. > > +1 > I don't see that as a problem but I get the point. I don't mind having all extensions installed by default, like opcache, curl, readline, intl, etc. are often used. The thing I like about the new approach is that they are loadable modules and disabled by default. Like Martijn says, it doesn't make sense to have WDDX, readline etc. compiled in. I do like the fact that you have to pick an SAPI now.
Re: UPDATE: php revamp
Hi Martijn did a very good job with this. This makes OpenBSD's PHP setup incredibly better. I tested yesterdays patch and it works fine (I had trouble with the other ones). I built everything and tested 7.1, 7.0, 5.6 with cli and fpm + extensions (opcache, curl, intl, etc.). So, looks good. I hope it gets committed soon. Thanks Marijn! Tom Van Looy
Remove www/zendframework
Hi The port www/zendframework should be removed. It is supplying old version 1.12.9 and was not touched in the past years. The latest in the 1.12.* series is 1.12.20 which is EOL since 28 sep 2016 ( https://framework.zend.com/blog/2016-06-28-zf1-eol.html). Nothing in the ports tree depends on www/zendframework. Newer versions of Zend Framework (2 and 3) can be installed with composer. Kind regards, Tom Van Looy
Re: Thank you for making p2k9 possible!
p2k9 (the ports hackathon in Budapest) is on since Friday. People are working on different things like GNOME, GCC4, BluRay support or even ACPI. I would like to thank everyone who donated money to the project because the individual donors made it possible to organize this event. So ... BIG THANKS GOES TO OUR USERS, to people supporting the project even at these times. I'd also like to thank NIIF and Sun Microsystems Hungary for lending us a nice hackroom and hardware for the hackathon. And don't forget yourself! Big thanks to you dev guys for being in Budapest figuring out new cool things to add to OpenBSD for us users.