| Anonymous | Login | Signup for a new account | 2013-05-20 02:21 PDT |  |
| Main | My View | View Issues | Change Log | Repositories |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||||
| 0000429 | Friendica | install | public | 2012-05-21 12:49 | 2012-05-22 16:14 | ||||||
| Reporter | talion | ||||||||||
| Assigned To | |||||||||||
| Priority | low | Severity | feature | Reproducibility | N/A | ||||||
| Status | new | Resolution | open | ||||||||
| Platform | OS | OS Version | |||||||||
| Product Version | |||||||||||
| Fixed in Version | |||||||||||
| Summary | 0000429: Documentation: How to resolve suhosin issue with Friendica cron and proc_open | ||||||||||
| Description | Since I've spent some time with this issue, it might be relevant enough to include the solution into the documentation / INSTALL.txt On my server I use the php protection system Suhosin [http://www.hardened-php.net/suhosin/ [^]]. One of the things it does is to block certain functions like proc_open, as configured in /etc/php5/conf.d/suhosin.ini: suhosin.executor.func.blacklist = proc_open, ... For those sites like Friendica that really need these functions they can be enabled, e.g. in /etc/apache2/sites-available/friendica: <Directory /var/www/friendica/> php_admin_value suhosin.executor.func.blacklist none php_admin_value suhosin.executor.eval.blacklist none </Directory> This enables every function for Friendica if accessed via browser, but not for the cronjob that is called via php command line. I attempted to enable it for cron by using something like */10 * * * * cd /var/www/friendica/friendica/ && sudo -u www-data /usr/bin/php -d suhosin.executor.func.blacklist=none -d suhosin.executor.eval.blacklist=none -f include/poller.php This worked well for simple test cases, but the friendica-cron still failed with a fatal error: suhosin[22962]: ALERT - function within blacklist called: proc_open() (attacker 'REMOTE_ADDR not set', file '/var/www/friendica/friendica/boot.php', line 1341) After a while I noticed, that include/poller.php calls further php script via proc_open. These scripts themselves also use proc_open and fail, because they are NOT called with -d suhosin.executor.func.blacklist=none. So the simple solution is to put the correct parameters into .htconfig.php: // Location of PHP command line processor $a->config['php_path'] = '/usr/bin/php -d suhosin.executor.func.blacklist=none -d suhosin.executor.eval.blacklist=none'; This is obvious as soon as you notice that the friendica-cron uses proc_open to execute php-scripts that also use proc_open, but it took me quite some time to find that out. I hope this saves some time for other people using suhosin with function blacklists. | ||||||||||
| Tags | cron, poller.php, proc_open, suhosin | ||||||||||
| Attached Files | |||||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0000643) macgirvin (administrator) 2012-05-22 16:14 |
Text added to INSTALL.txt - we should probably put this on the github wiki also. |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2012-05-21 12:49 | talion | New Issue | |
| 2012-05-21 12:52 | talion | Tag Attached: cron | |
| 2012-05-21 12:52 | talion | Tag Attached: poller.php | |
| 2012-05-21 12:52 | talion | Tag Attached: proc_open | |
| 2012-05-21 12:52 | talion | Tag Attached: suhosin | |
| 2012-05-21 12:54 | talion | Issue Monitored: talion | |
| 2012-05-22 16:14 | macgirvin | Note Added: 0000643 | |
|
Issue History |
| Copyright © 2000 - 2010 MantisBT Group |
 |