Hello!
php-fpm is chrooted in /var/www. /var/www is mounted noexec.
Scripts like this:
<?php
error_reporting(E_ALL);
echo file_get_contents('http://google.com/');

show:
Warning: file_get_contents() [function.file-get-contents]:
php_network_getaddresses: getaddrinfo failed: Name or service not
known in

How to compile php-5.3.10 to make it work in chroot and noexec.
I mean working fsockopen, file_get_contents, etc.
The system is Debian Wheezy amd64.

Am Thu, 12 Apr 2012 04:55:44 -0700 (PDT)
schrieb gg <gglater62@gmail.com>:

> Hello!
> php-fpm is chrooted in /var/www. /var/www is mounted noexec.
> Scripts like this:
> <?php
> error_reporting(E_ALL);
> echo file_get_contents('http://google.com/');
>
> show:
> Warning: file_get_contents() [function.file-get-contents]:
> php_network_getaddresses: getaddrinfo failed: Name or service not
> known in
>
> How to compile php-5.3.10 to make it work in chroot and noexec.
> I mean working fsockopen, file_get_contents, etc.
> The system is Debian Wheezy amd64.


You have to have an /etc/resolv.conf in the chroot (and nsswitch.conf
and various other stuff, depending on your needs)
Also, the chroot needs to have all the binaries and libraries needed by
the various tools.
On FreeBSD, I use nullfs-mounts - don't know about Debian.

On 12 Kwi, 14:10, Rainer Duffner <rai...@ultra-secure.de> wrote:
> Am Thu, 12 Apr 2012 04:55:44 -0700 (PDT)
> schrieb gg <gglate...@gmail.com>:
>
> > Hello!
> > php-fpm is chrooted in /var/www. /var/www is mounted noexec.
> > Scripts like this:
> > <?php
> > error_reporting(E_ALL);
> > echo file_get_contents('http://google.com/');
>
> > show:
> > Warning: file_get_contents() [function.file-get-contents]:
> > php_network_getaddresses: getaddrinfo failed: Name or service not
> > known in
>
> > How to compile php-5.3.10 to make it work in chroot and noexec.
> > I mean working fsockopen, file_get_contents, etc.
> > The system is Debian Wheezy amd64.
>
> You have to have an /etc/resolv.conf in the chroot (and nsswitch.conf
> and various other stuff, depending on your needs)
> Also, the chroot needs to have all the binaries and libraries needed by
> the various tools.
> On FreeBSD, I use nullfs-mounts - don't know about Debian.
It is not so easy. nss_* are dynamic on Debian. For example
libnss_dns.
They do not work with noexec. I recompiled eglibc with --enable-static-
nss.
Tried to link php-fpm statically, tried to link against static -lc -
lnss_files -lnss_dns -lresolv, but with no luck.

The first try:
open("/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>
\0\1\0\0\0\0\20\0\0\0\0\0\0"..., 832) = 832
fstat(4, {st_mode=S_IFREG|0644, st_size=22928, ...}) = 0
mmap(NULL, 2117888, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
4, 0) = -1 EPERM (Operation not permitted)

The second: (static php):
compilation fails with: dynamic STT_GNU_IFUNC symbol `strcmp' with
pointer equality

The third: link against static libraries
I added to the BUILD_FPM after \$(ZEND_EXTRA_LIBS) -static -Wl,--start-
group -lc -lnss_files -lnss_dns -lresolv -Wl,--end-group
There is no "call" to libnss_dns.so.2, but there is the same php error
as above.

More ideas?

On 12 Kwi, 14:10, Rainer Duffner <rai...@ultra-secure.de> wrote:
> Am Thu, 12 Apr 2012 04:55:44 -0700 (PDT)
> schrieb gg <gglate...@gmail.com>:
>
> > Hello!
> > php-fpm is chrooted in /var/www. /var/www is mounted noexec.
> > Scripts like this:
> > <?php
> > error_reporting(E_ALL);
> > echo file_get_contents('http://google.com/');
>
> > show:
> > Warning: file_get_contents() [function.file-get-contents]:
> > php_network_getaddresses: getaddrinfo failed: Name or service not
> > known in
>
> > How to compile php-5.3.10 to make it work in chroot and noexec.
> > I mean working fsockopen, file_get_contents, etc.
> > The system is Debian Wheezy amd64.
>
> You have to have an /etc/resolv.conf in the chroot (and nsswitch.conf
> and various other stuff, depending on your needs)
> Also, the chroot needs to have all the binaries and libraries needed by
> the various tools.
> On FreeBSD, I use nullfs-mounts - don't know about Debian.

It is not so easy. nss_* are dynamic on Debian. For example
libnss_dns.
They do not work with noexec. I recompiled eglibc with --enable-static-
nss.
Tried to link php-fpm statically, tried to link against static -lc -
lnss_files -lnss_dns -lresolv, but with no luck.

The first try:
open("/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>
\0\1\0\0\0\0\20\0\0\0\0\0\0"..., 832) = 832
fstat(4, {st_mode=S_IFREG|0644, st_size=22928, ...}) = 0
mmap(NULL, 2117888, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
4, 0) = -1 EPERM (Operation not permitted)

The second: (static php):
compilation fails with: dynamic STT_GNU_IFUNC symbol `strcmp' with
pointer equality

The third: link against static libraries
I added to the BUILD_FPM after \$(ZEND_EXTRA_LIBS) -static -Wl,--start-
group -lc -lnss_files -lnss_dns -lresolv -Wl,--end-group
There is no "call" to libnss_dns.so.2, but there is the same php error
as above.

More ideas?