# zend guard loader php-5.3 cgi mprotect

## at_chaos

Hi,

I tried to run Zend Guard Loader as zend_extension (the preferred way to load the module). After including it every php file segfaults. This seems due to MPROCTECT on /usr/lib64/php5.3/php-cgi , if I remove it by paxctl -m the extension gets loaded as it should. Please let me know if this is a bad idea or how I better can solve that issue.

Error in dmesg:

```
[5229385.155308] grsec: From 77.117.247.196: denied RWX mprotect of /lib64/ld-2.14.1.so by /usr/lib64/php5.3/bin/php-cgi[php-cgi:25378] uid/euid:10036/10036 gid/egid:10036/10036, parent /usr/sbin/apache2[apache2:25345] uid/euid:81/81 gid/egid:81/81

[5229385.155319] php-cgi[25378]: segfault at 32bf11b5d90 ip 0000032bf0f9bfb4 sp 000003b3c6c1fb00 error 7 in ld-2.14.1.so[32bf0f95000+21000]

[5229385.155331] grsec: From 77.117.247.196: Segmentation fault occurred at 0000032bf11b5d90 in /usr/lib64/php5.3/bin/php-cgi[php-cgi:25378] uid/euid:10036/10036 gid/egid:10036/10036, parent /usr/sbin/apache2[apache2:25345] uid/euid:81/81 gid/egid:81/81

[5229385.155344] grsec: From 77.117.247.196: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/php5.3/bin/php-cgi[php-cgi:25378] uid/euid:10036/10036 gid/egid:10036/10036, parent /usr/sbin/apache2[apache2:25345] uid/euid:81/81 gid/egid:81/81

```

emerge --info

```

System uname: Linux-3.0.4-hardened-r5-x86_64-QEMU_Virtual_CPU_version_0.15.0-with-gentoo-2.1

Timestamp of tree: Mon, 11 Jun 2012 11:45:01 +0000

app-shells/bash:          4.2_p20

dev-lang/python:          2.4.6, 2.5.4-r4, 2.6.8, 2.7.3-r1, 3.1.5, 3.2.3

dev-util/cmake:           2.8.6-r4

dev-util/pkgconfig:       0.26

sys-apps/baselayout:      2.1-r1

sys-apps/openrc:          0.9.8.4

sys-apps/sandbox:         2.5

sys-devel/autoconf:       2.68

sys-devel/automake:       1.11.1

sys-devel/binutils:       2.21.1-r1

sys-devel/gcc:            4.5.3-r2

sys-devel/gcc-config:     1.6

sys-devel/libtool:        2.4-r1

sys-devel/make:           3.82-r1

sys-kernel/linux-headers: 3.1 (virtual/os-headers)

sys-libs/glibc:           2.14.1-r3

Repositories: gentoo

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-mtune=native -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-mtune=native -O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphansuserfetch"

FFLAGS=""

GENTOO_MIRRORS="ftp://mirrors.tds.net/gentoo http://gentoo.supp.name/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://ftp.club-internet.fr/pub/mirrors/gentoo"

LANG="de_DE.UTF-8"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

LINGUAS="de en"

MAKEOPTS="-j3"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY=""

SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage/"

USE="acl amd64 apache2 berkdb bzip2 cli cracklib crypt cups cxx dri gdbm gpm hardened iconv jpeg justify mmx modules mudflap mysql ncurses nls nptl openmp pam pax_kernel pcre perl png pppd readline session sse sse2 ssl tcpd unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de en" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON

```

Should the extension work without disabling the MPROTECT flag? Is this a bug or normal?

Thanks!

----------

## vostorga

Actually, paxctl -m is how I workaround this issue.

----------

