php-fpm & failed precmd routine for php_fpm
148 views
Skip to first unread message
bryn1u85
Oct 9, 2018, 2:52:02 PM10/9/18
to pku...@anongoth.pl, HardenedBSD Users, ber...@brnrd.eu
Hey,
@pkubaj as i said in the last mail. There is completely misunderstanding issue related to php-fpm.
I installed php72 using pkg install php72 inside jail.
I have rules from secadm git. All other applications work great but when i entry "service php-fpm start" im getting something like below:
root@proton:/ # service php-fpm start
Performing sanity check on php-fpm configuration:
Segmentation fault (core dumped)
/usr/local/etc/rc.d/php-fpm: WARNING: failed precmd routine for php_fpm
My secadm rules.
root@proton:/ # secadm list
+0: pax /usr/local/bin/php mps
+1: pax /usr/local/sbin/httpd mp
+2: pax /usr/local/sbin/pure-ftpd a
+3: pax /usr/local/sbin/nginx mp
+4: pax /usr/local/bin/python2.7 mp
+5: pax /usr/local/sbin/php-fpm mps
+6: pax /usr/local/bin/node mp
+7: pax /usr/local/bin/php-cgi mps
secadm.rules
pax {
path: "/usr/local/bin/php-cgi",
pageexec: false,
mprotect: false,
segvguard: false,
}
pax {
path: "/usr/local/sbin/php-fpm",
pageexec: false,
mprotect: false,
segvguard: false,
}
pax {
path: "/usr/local/bin/php",
pageexec: false,
mprotect: false,
segvguard: false,
}
Dmesg from host:
[22360] -> fname: /usr/local/sbin/php-fpm
[22360] pid 23868 (php-fpm), uid 0: exited on signal 11 (core dumped)
[22470] -> fname: /usr/local/sbin/php-fpm
[22470] pid 67292 (php-fpm), uid 0: exited on signal 11 (core dumped)
[24757] -> fname: /usr/local/sbin/php-fpm
[24757] pid 67434 (php-fpm), uid 0: exited on signal 11 (core dumped)
[24906] -> fname: /usr/local/sbin/php-fpm
[24906] pid 51345 (php-fpm), uid 0: exited on signal 11 (core dumped)
[24919] -> fname: /usr/local/sbin/php-fpm
[24919] pid 65825 (php-fpm), uid 0: exited on signal 11 (core dumped)
Before start service php-fpm start i restarted jail of course.
Could tell me what is going on ? Why this is doesn't work ? I have all good settings. As i mentioned all others services work without any problem and secadm rules work.
Thanks.
bryn1u85
Oct 9, 2018, 5:45:47 PM10/9/18
to pku...@anongoth.pl, HardenedBSD Users, ber...@brnrd.eu
One more. This problem shows up even when i turned off:
sysctl hardening.pax.mprotect.status=0 hardening.pax.pageexec.status=0
Then restart jail of course and :
[35633] -> fname: /usr/local/sbin/php-fpm
[35633] -> pid: 4109 ppid: 76008 p_pax: 0x66a<NOPAGEEXEC,NOMPROTECT,NOSEGVGUARD,ASLR,NOSHLIBRANDOM,DISALLOWMAP32BIT>
[35634] pid 4109 (php-fpm), uid 0: exited on signal 11 (core dumped)
The same problem showed up with mod_security3. When i turned off all hardening feature problem still existed.
root@proton:/ # service php-fpm start
Performing sanity check on php-fpm configuration:
Segmentation fault (core dumped)
/usr/local/etc/rc.d/php-fpm: WARNING: failed precmd routine for php_fpm
root@proton:/ #
Ehh. It's unbelievable.
Uwe Trenkner
Oct 10, 2018, 2:51:04 AM10/10/18
to bryn1u85, HardenedBSD Users, ber...@brnrd.eu
I recently installed php72 on a
11-STABLE server and php-fpm is running without any complaints.
Do you have any extensions installed?
Try disabling one after the other and see if you can find one
which causes your problem. In April, I had a problem with php56
and I was able to track the problem down to php56-opcache.
Disabling this extension solved the problem (which was later fixed
in upstream FreeBSD ports and was due to issues with the new clang
6.0 compiler
https://svnweb.freebsd.org/ports?view=revision&revision=469895
).
These are the extensions I run with
php72 (all installed from the official HBSD package repo):
php72-7.2.10
php72-ctype-7.2.10
php72-curl-7.2.10
php72-dom-7.2.10
php72-extensions-1.0
php72-filter-7.2.10
php72-hash-7.2.10
php72-iconv-7.2.10
php72-json-7.2.10
php72-mysqli-7.2.10
php72-opcache-7.2.10
php72-pdo-7.2.10
php72-pdo_sqlite-7.2.10
php72-phar-7.2.10
php72-posix-7.2.10
php72-session-7.2.10
php72-simplexml-7.2.10
php72-sqlite3-7.2.10
php72-tokenizer-7.2.10
php72-xml-7.2.10
php72-xmlreader-7.2.10
php72-xmlwriter-7.2.10
php72-zlib-7.2.10
php72-ctype-7.2.10
php72-curl-7.2.10
php72-dom-7.2.10
php72-extensions-1.0
php72-filter-7.2.10
php72-hash-7.2.10
php72-iconv-7.2.10
php72-json-7.2.10
php72-mysqli-7.2.10
php72-opcache-7.2.10
php72-pdo-7.2.10
php72-pdo_sqlite-7.2.10
php72-phar-7.2.10
php72-posix-7.2.10
php72-session-7.2.10
php72-simplexml-7.2.10
php72-sqlite3-7.2.10
php72-tokenizer-7.2.10
php72-xml-7.2.10
php72-xmlreader-7.2.10
php72-xmlwriter-7.2.10
php72-zlib-7.2.10
Good luck!
Uwe.
--
You received this message because you are subscribed to the Google Groups "HardenedBSD Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to users+un...@hardenedbsd.org.
bryn1u85
Oct 10, 2018, 5:36:26 AM10/10/18
to Uwe Trenkner, HardenedBSD Users, ber...@brnrd.eu
Thank you. I will try then. :)
bryn1u85
Oct 10, 2018, 5:31:40 PM10/10/18
to Uwe Trenkner, HardenedBSD Users, ber...@brnrd.eu
Hey,
@Uwe thank you for clue. You are right. The problem is with some php depedencies. Im still finding wich is responsible for crash. Im still wondering how security works in HBSD that even without mprotect (turned off by sysctl) and pageexec system is killing php-fpm.
Uwe Trenkner
Oct 11, 2018, 7:33:10 AM10/11/18
to bryn1u85, HardenedBSD Users
Glad I could help a little.
Can you be certain that the problem
lies with HBSD's security mechanisms? In my case the problem was
with php-opcache in connection with the new Clang 6.0 compiler
used by HBSD. The same problem would have shown, if you had used
Clang 6.0 on FreeBSD. It had nothing to do with the security
mechanisms of HBSD.
Best regards
Uwe.
bryn1u85
Oct 11, 2018, 11:38:40 AM10/11/18
to Uwe Trenkner, HardenedBSD Users
Ahhh. Now im being to able understand how it works. So probably latest issues was related to this issue. Everything is clear for me since now.
Thank you again. :))
Reply all
Reply to author
Forward
0 new messages