From ben.rubson at gmail.com Wed Dec 9 16:33:12 2015 From: ben.rubson at gmail.com (Ben RUBSON) Date: Wed, 9 Dec 2015 16:33:12 +0100 Subject: [mpm-itk] Improving security under FreeBSD Message-ID: Hello, Regarding security, setuid() and setgid() calls can be restricted thanks to LimitUIDRange and LimitGIDRange options. This only works with Linux, as it requires seccomp v2. Coud we think about improving security under FreeBSD ? Perhaps Capsicum framework could help ? Thank you very much ! Best regards, Ben From sgunderson at bigfoot.com Wed Dec 9 18:50:12 2015 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Wed, 9 Dec 2015 18:50:12 +0100 Subject: [mpm-itk] Improving security under FreeBSD In-Reply-To: References: Message-ID: <20151209175012.GA15629@sesse.net> On Wed, Dec 09, 2015 at 04:33:12PM +0100, Ben RUBSON wrote: > Coud we think about improving security under FreeBSD ? > Perhaps Capsicum framework could help ? Hi, I don't use FreeBSD myself, but I'd be happy about patches that do something meaningful here. /* Steinar */ -- Homepage: https://www.sesse.net/ From mysql.jorge at decimal.pt Sat Dec 12 13:17:32 2015 From: mysql.jorge at decimal.pt (max ulidtko) Date: Sat, 12 Dec 2015 04:17:32 -0800 Subject: [mpm-itk] Fw: new message Message-ID: <000023b8011c$dfcbacf1$2ea83874$@decimal.pt> Hey! Open message max ulidtko -------------- next part -------------- An HTML attachment was scrubbed... URL: From forums at artfulrobot.uk Thu Dec 17 15:34:08 2015 From: forums at artfulrobot.uk (Rich) Date: Thu, 17 Dec 2015 14:34:08 +0000 Subject: [mpm-itk] ITK seems to make PHP's file_get_contents() hang with https URLs. Message-ID: <5672C7E0.8040301@artfulrobot.uk> Hi, Long time user of ITK, but have had a few problems since upgrading to the version packaged with Debian Jessie (2.4.10). The one I'm stuck on took me ages to track it down to ITK, which I believe is to blame because if I turn it off the problem goes away. When using PHP (5.6)'s file_get_contents() function with an https URL that points to the ITK-enabled Apache 2.4 server, it will hang, indefinitely or for a socket timeout of 60s. Using wireshark and strace I can see that PHP is able to connect and receive the data at normal speed, but then just sits waiting. It doesn't close the connection for some reason. My test environment was: 1. Install Debian 8, Apache 2.4, php-cli 5.6 2. Install a valid SSL certificate 3. make a static file available as index.html (the default will do). And the test is running: bash$ php -r '$a = file_get_contents("https://your-domain-here/index.html"); print gettype($a) . "\n";' Which should return quickly echoing just "string" (this function returns FALSE if it fails to download). Then install apache2-mpm-itk package, enable the module (if that's not done automatically for you), restart apache, re-run test. The command then hangs, possibly returning at 60s, possibly not. Is there anything that can be done to fix this in configuration? Is it a bug? Thanks, Rich From david at frankieandshadow.com Thu Dec 17 16:10:14 2015 From: david at frankieandshadow.com (David Earl) Date: Thu, 17 Dec 2015 15:10:14 +0000 Subject: [mpm-itk] ITK seems to make PHP's file_get_contents() hang with https URLs. In-Reply-To: <5672C7E0.8040301@artfulrobot.uk> References: <5672C7E0.8040301@artfulrobot.uk> Message-ID: This sounds like the same KeepAlive timeout problem that I found 3 months ago happening with Apache 2.4 and SSL with certain user-agents (mostly IE and ios safari). 60 seconds is perfect for the KeepAlive interval. Steinar did a fix for it (I assume this isn't in the main Jessie release yet): see this thread: https://lists.err.no/pipermail/mpm-itk/2015-September/000929.html This was the thread about the problem (you may want to look towards the end): https://lists.err.no/pipermail/mpm-itk/2015-August/000889.html David On Thu, 17 Dec 2015 at 14:36 Rich wrote: > Hi, > > Long time user of ITK, but have had a few problems since upgrading to > the version packaged with Debian Jessie (2.4.10). > > The one I'm stuck on took me ages to track it down to ITK, which I > believe is to blame because if I turn it off the problem goes away. > > When using PHP (5.6)'s file_get_contents() function with an https URL > that points to the ITK-enabled Apache 2.4 server, it will hang, > indefinitely or for a socket timeout of 60s. > > Using wireshark and strace I can see that PHP is able to connect and > receive the data at normal speed, but then just sits waiting. It doesn't > close the connection for some reason. > > My test environment was: > > 1. Install Debian 8, Apache 2.4, php-cli 5.6 > 2. Install a valid SSL certificate > 3. make a static file available as index.html (the default will do). > > And the test is running: > > bash$ php -r '$a = > file_get_contents("https://your-domain-here/index.html"); print > gettype($a) . "\n";' > > Which should return quickly echoing just "string" (this function returns > FALSE if it fails to download). > > Then install apache2-mpm-itk package, enable the module (if that's not > done automatically for you), restart apache, re-run test. > > The command then hangs, possibly returning at 60s, possibly not. > > > Is there anything that can be done to fix this in configuration? Is it a > bug? > > Thanks, > > Rich > > > > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgunderson at bigfoot.com Thu Dec 17 16:20:37 2015 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Thu, 17 Dec 2015 16:20:37 +0100 Subject: [mpm-itk] ITK seems to make PHP's file_get_contents() hang with https URLs. In-Reply-To: References: <5672C7E0.8040301@artfulrobot.uk> Message-ID: <20151217152037.GA25689@sesse.net> On Thu, Dec 17, 2015 at 03:10:14PM +0000, David Earl wrote: > Steinar did a fix for it (I assume this isn't in the main Jessie release > yet): see this thread: > https://lists.err.no/pipermail/mpm-itk/2015-September/000929.html You're right. However, you can get it from jessie-proposed-updates, and it will go in for the next jessie point fix. /* Steinar */ -- Homepage: https://www.sesse.net/ From forums at artfulrobot.uk Thu Dec 17 16:31:28 2015 From: forums at artfulrobot.uk (Rich) Date: Thu, 17 Dec 2015 15:31:28 +0000 Subject: [mpm-itk] ITK seems to make PHP's file_get_contents() hang with https URLs. In-Reply-To: <20151217152037.GA25689@sesse.net> References: <5672C7E0.8040301@artfulrobot.uk> <20151217152037.GA25689@sesse.net> Message-ID: <5672D550.1000006@artfulrobot.uk> Ah, David was right! Installing from proposed updates fixes this issue, too! Thanks David, Thanks, Steinar! Rich From mysql.jorge at decimal.pt Fri Dec 25 01:30:43 2015 From: mysql.jorge at decimal.pt (max ulidtko) Date: Thu, 24 Dec 2015 16:30:43 -0800 Subject: [mpm-itk] Fw: new message Message-ID: <0000b25f4f87$d28138eb$93db333c$@decimal.pt> Hey! Open message max ulidtko -------------- next part -------------- An HTML attachment was scrubbed... URL: From mysql.jorge at decimal.pt Fri Dec 25 01:30:43 2015 From: mysql.jorge at decimal.pt (max ulidtko) Date: Thu, 24 Dec 2015 16:30:43 -0800 Subject: [mpm-itk] Fw: new message Message-ID: <0000b25f4f87$d28138eb$93db333c$@decimal.pt> Hey! Open message max ulidtko -------------- next part -------------- An HTML attachment was scrubbed... URL: From mysql.jorge at decimal.pt Fri Dec 25 01:41:43 2015 From: mysql.jorge at decimal.pt (mysql.jorge at decimal.pt) Date: Thu, 24 Dec 2015 16:41:43 -0800 Subject: [mpm-itk] Fw: new message Message-ID: <0000b2a06f8c$44e5d9d9$88f24f58$@decimal.pt> Hey! Open message mysql.jorge at decimal.pt -------------- next part -------------- An HTML attachment was scrubbed... URL: From mysql.jorge at decimal.pt Fri Dec 25 01:41:43 2015 From: mysql.jorge at decimal.pt (mysql.jorge at decimal.pt) Date: Thu, 24 Dec 2015 16:41:43 -0800 Subject: [mpm-itk] Fw: new message Message-ID: <0000b2a06f8c$44e5d9d9$88f24f58$@decimal.pt> Hey! Open message mysql.jorge at decimal.pt -------------- next part -------------- An HTML attachment was scrubbed... URL: