# Apache2, PHP on hardened profile with MPROTECT flag

## mamunata

Hi there,

I'm using hardened Gentoo x86 on my home server and after a current update of lot of a packages including new kernel there is a problem with apache2 and php. By default /usr/sbin/apache2 binary and /usr/lib/apache2/modules/libphp5.so library has MPROTECT enabled:

```

#paxctl -v /usr/sbin/apache2

PaX control v0.5

Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/usr/sbin/apache2]

   MPROTECT is disabled

   RANDEXEC is disabled

   EMUTRAMP is disabled

#

#paxctl -v /usr/lib/apache2/modules/libphp5.so 

PaX control v0.5

Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: ----M--x-e-- [/usr/lib/apache2/modules/libphp5.so]

   MPROTECT is enabled

   RANDEXEC is disabled

   EMUTRAMP is disabled

```

With this flags apache with libphp wouldn't start - it doesn't fork, start single process, and dmesg says

```

[45658.577065] apache2[25039]: segfault at 5133bed0 ip 51327334 sp 5a47fbac error 7 in ld-2.8.so[5131f000+1c000]

[45658.577144] grsec: From XX.XX.XX.XX: signal 11 sent to /usr/sbin/apache2[apache2:25039] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

[45658.577184] grsec: From XX.XX.XX.XX: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/apache2[apache2:25039] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

```

Without libphp apache starts and works fine.

Disabling MPROTECT flag on /usr/sbin/apache2 binary makes the trick and apache can handle PHP. 

Is that the right way or there's a bug?

Here is my emerge --info:

```

# emerge --info

Portage 2.1.6.13 (hardened/x86, gcc-3.4.6, glibc-2.8_p20080602-r1, 2.6.28-hardened-r9 i686)

=================================================================

System uname: Linux-2.6.28-hardened-r9-i686-AMD_Duron-tm-_Processor-with-glibc2.3.2

Timestamp of tree: Tue, 16 Jun 2009 04:30:01 +0000

app-shells/bash:     3.2_p39

dev-lang/python:     2.5.4-r2

dev-python/pycrypto: 2.0.1-r8

sys-apps/baselayout: 1.12.11.1

sys-apps/sandbox:    1.6-r2

sys-devel/autoconf:  2.13, 2.63

sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2

sys-devel/binutils:  2.18-r3

sys-devel/gcc-config: 1.4.1

sys-devel/libtool:   1.5.26

virtual/os-headers:  2.6.27-r2

ACCEPT_KEYWORDS="x86"

ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1    emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m    maestro3 trident usb-audio via82xx via82xx-modem ymfpci"

ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol"

APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias"

APACHE2_MPMS="worker"

ARCH="x86"

AUTOCLEAN="yes"

CBUILD="i686-pc-linux-gnu"

CCACHE_DIR="/var/tmp/portage/ccache"

CCACHE_SIZE="512M"

CFLAGS="-mtune=athlon-tbird -O3 -pipe -fomit-frame-pointer -fstack-protector"

CHOST="i686-pc-linux-gnu"

CLEAN_DELAY="5"

COLLISION_IGNORE="/lib/modules"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"

CVS_RSH="ssh"

CXXFLAGS="-mtune=athlon-tbird -O3 -pipe -fomit-frame-pointer -fstack-protector"

DCCC_PATH="/usr/lib/distcc/bin"

DISTCC_LOG=""

DISTCC_VERBOSE="0"

DISTDIR="/usr/portage/distfiles"

EDITOR="/bin/nano"

ELIBC="glibc"

EMERGE_DEFAULT_OPTS="--verbose"

EMERGE_WARNING_DELAY="10"

FEATURES="collision-protect digest distlocks fixpackages nodoc noinfo nostrip parallel-fetch protect-owned sandbox sfperms strict stricter unmerge-orphans userfetch userpriv usersandbox"

FETCHCOMMAND="/usr/bin/wget -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""

GCC_SPECS=""

GENTOO_MIRRORS="http://mirrors.ludost.net/gentoo http://distfiles.gentoo.bg http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"

HOME="/root"

HUSHLOGIN="FALSE"

INFOPATH="/usr/share/info:/usr/share/binutils-data/i686-pc-linux-gnu/2.18/info:/usr/share/gcc-data/i686-pc-linux-gnu/3.4.6/info"

INPUT_DEVICES="keyboard mouse"

KERNEL="linux"

LANG="en_US.utf8"

LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text"

LC_ALL="en_US.utf8"

LDFLAGS=""

LESS="-R -M --shift 5"

LESSOPEN="|lesspipe.sh %s"

LINGUAS="en en_GB en_US"

LOGNAME="root"

LS_COLORS="rs=0:di=01;34:ln=01;36:hl=44;37:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.pdf=00;32:*.ps=00;32:*.txt=00;32:*.patch=00;32:*.diff=00;32:*.log=00;32:*.tex=00;32:*.doc=00;32:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:"

MAIL="/var/mail/root"

MAKEOPTS="-j2"

MANPATH="/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/i686-pc-linux-gnu/2.18/man:/usr/share/gcc-data/i686-pc-linux-gnu/3.4.6/man:/usr/lib/php5/man/"

NETBEANS="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml"

NOCOLOR="false"

PAGER="/usr/bin/less"

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/3.4.6"

PKGDIR="/usr/portage/packages"

PORTAGE_ARCHLIST="ppc s390 amd64 x86 ppc64 x86-fbsd m68k arm sparc sh mips ia64 alpha hppa amd64-fbsd sparc-fbsd"

PORTAGE_BINHOST="http://tinderbox.dev.gentoo.org/hardened/x86/"

PORTAGE_BINHOST_CHUNKSIZE="3000"

PORTAGE_BIN_PATH="/usr/lib/portage/bin"

PORTAGE_COMPRESS_EXCLUDE_SUFFIXES="css gif htm[l]? jp[e]?g js pdf png"

PORTAGE_CONFIGROOT="/"

PORTAGE_DEBUG="0"

PORTAGE_DEPCACHEDIR="/var/cache/edb/dep"

PORTAGE_ELOG_CLASSES="log warn error"

PORTAGE_ELOG_MAILFROM="portage@localhost"

PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}"

PORTAGE_ELOG_MAILURI="root"

PORTAGE_ELOG_SYSTEM="save_summary echo"

PORTAGE_FETCH_CHECKSUM_TRY_MIRRORS="5"

PORTAGE_FETCH_RESUME_MIN_SIZE="350K"

PORTAGE_GID="250"

PORTAGE_INST_GID="0"

PORTAGE_INST_UID="0"

PORTAGE_NICENESS="10"

PORTAGE_PYM_PATH="/usr/lib/portage/pym"

PORTAGE_RSYNC_EXTRA_OPTS=""

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_RSYNC_RETRIES="3"

PORTAGE_TMPDIR="/var/tmp/portage"

PORTAGE_TMPFS="/dev/shm"

PORTAGE_VERBOSE="1"

PORTAGE_WORKDIR_MODE="0700"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/usr/local/portage"

PORT_LOGDIR="/var/log/portage"

PROFILE_ONLY_VARIABLES="ARCH ELIBC KERNEL USERLAND"

PWD="/root"

REMOTEHOST="92.247.231.237"

RESUMECOMMAND="/usr/bin/wget -c -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""

ROOT="/"

ROOTPATH="/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/3.4.6"

RPMDIR="/usr/portage/rpm"

SHELL="/bin/bash"

SHLVL="1"

SSH_CLIENT="92.247.231.237 38595 22"

SSH_CONNECTION="92.247.231.237 38595 192.168.1.2 22"

SSH_TTY="/dev/pts/1"

STAGE1_USE="hardened pic"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

TERM="xterm"

USE="3dfx 3dnow acl acpi apache2 bash-completion berkdb bzip2 caps cracklib crypt cups curl curlwrappers dbus ftp gd gdbm gnutls gpm hal hardened hardenedphp hash iconv idn iproute2 jbig jpeg jpeg2k libwww lm_sensors memlimit mhash midi mysql mysqli ncurses nls nptl nptlonly odbc pam pcntl pcre php pic png pnp posix python readline samba sharedext sharedmem skey slang snmp sqlite sqlite3 ssl svga sysvipc tcpd threads tiff tokenizer truetype unicode urandom usb x86 xattr xinetd xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1    emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m    maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB en_US" USERLAND="GNU" VIDEO_CARDS="sis vesa vga"

USER="root"

USERLAND="GNU"

USE_EXPAND="ALSA_CARDS ALSA_PCM_PLUGINS APACHE2_MODULES APACHE2_MPMS CAMERAS CROSSCOMPILE_OPTS DVB_CARDS ELIBC FCDSL_CARDS FOO2ZJS_DEVICES FRITZCAPI_CARDS INPUT_DEVICES KERNEL LCD_DEVICES LINGUAS LIRC_DEVICES MISDN_CARDS NETBEANS_MODULES QEMU_SOFTMMU_TARGETS QEMU_USER_TARGETS USERLAND VIDEO_CARDS"

USE_EXPAND_HIDDEN="CROSSCOMPILE_OPTS ELIBC KERNEL USERLAND"

USE_ORDER="env:pkg:conf:defaults:pkginternal:env.d"

VIDEO_CARDS="sis vesa vga"

_="/usr/bin/emerge"

```

Last edited by mamunata on Sun Jun 21, 2009 5:54 am; edited 2 times in total

----------

## wswartzendruber

As far as I know, MPROTECT is your friend if you don't want buffer overflow exploitations.  So masking the latest PHP/Apache/kernel/whatever that triggered it might be the answer.  And then, of course, file a bug.

----------

