Debian Bug report logs - #566609
add suhosin.memory_limit in /etc/cron.d/cacti

version graph

Package: cacti; Maintainer for cacti is Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>; Source for cacti is src:cacti (PTS, buildd, popcon).

Reported by: David Herbert <david@deadbattery.co.uk>

Date: Sun, 24 Jan 2010 03:48:02 UTC

Severity: normal

Found in versions cacti/0.8.7e-1.1, cacti/0.8.7e-3

Fixed in version cacti/0.8.8a-2

Done: Paul Gevers <paul@climbing.nl>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#566609; Package cacti. (Sun, 24 Jan 2010 03:48:09 GMT) (full text, mbox, link).


Acknowledgement sent to David Herbert <david@deadbattery.co.uk>:
New Bug report received and forwarded. Copy sent to Sean Finney <seanius@debian.org>. (Sun, 24 Jan 2010 03:48:09 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: David Herbert <david@deadbattery.co.uk>
To: submit@bugs.debian.org
Subject: [cacti] Logs are filling up with suhosin alerts about cacti trying to increase memory_limit
Date: Sun, 24 Jan 2010 03:42:13 +0000
Package: cacti
Version: 0.8.7e-1.1
Severity: normal

--- Please enter the report below this line. ---

Every five mins I'm getting the following in the logs:

Jan 24 03:30:02 turnip suhosin[7858]: ALERT - script tried to increase 
memory_limit to 268435456 bytes which is above the allowed value 
(attacker 'REMOTE_ADDR not set', file 
'/usr/share/cacti/site/poller.php', line 171)
Jan 24 03:30:02 turnip suhosin[7861]: ALERT - script tried to increase 
memory_limit to 268435456 bytes which is above the allowed value 
(attacker 'REMOTE_ADDR not set', file '/usr/share/cacti/site/cmd.php', 
line 33)

--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.32-trunk-686

Debian Release: squeeze/sid
  500 testing         security.debian.org
  500 testing         ftp.uk.debian.org
  500 testing         debian-multimedia.fx-services.com

--- Package information. ---
Package's Depends field is empty.

Package's Recommends field is empty.

Package's Suggests field is empty.







Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#566609; Package cacti. (Tue, 04 May 2010 18:27:03 GMT) (full text, mbox, link).


Acknowledgement sent to "Christoph Kling" <christoph@familiekling.de>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Tue, 04 May 2010 18:27:03 GMT) (full text, mbox, link).


Message #10 received at 566609@bugs.debian.org (full text, mbox, reply):

From: "Christoph Kling" <christoph@familiekling.de>
To: "Debian Bug Tracking System" <566609@bugs.debian.org>
Subject: Re: Logs are filling up with suhosin alerts about cacti trying to increase memory_limit
Date: Tue, 4 May 2010 20:25:08 +0200
Package: cacti
Version: 0.8.7e-3
Severity: normal

*** Please type your report below this line. ***


Hello,

I've tried the following to solve the problem:

#:/etc/cron.d# cat cacti 
MAILTO=root
*/5 * * * * www-data php --define memory_limit=-1 --define
suhosin.memory_limit=0 
  /usr/share/cacti/site/poller.php >/dev/null
2>/var/log/cacti/poller-error.log

I added --define memory_limit=-1 --define suhosin.memory_limit=0 but
nevetheless,
the alert messages do not disappear. My /etc/php5/cli/php.ini contains
as well
memory_limit=-1 and the suhosin config file in /etc/php5/conf.d does in
clude
suhosin.memory_limit=0. So why are there still alerts? Is this a suhosin
bug?


Regards
Christoph Kling

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages cacti depends on:
ii  apache2-mpm-worker [ht 2.2.15-3          Apache HTTP Server - high
speed th
ii  dbconfig-common        1.8.46            common framework for
packaging dat
ii  debconf [debconf-2.0]  1.5.32            Debian configuration
management sy
ii  libphp-adodb           5.10-1            The ADOdb database
abstraction lay
ii  mysql-client-5.1 [virt 5.1.45-1          MySQL database client
binaries
ii  php5                   5.3.2-1           server-side, HTML-embedded
scripti
ii  php5-cli               5.3.2-1           command-line interpreter
for the p
ii  php5-mysql             5.3.2-1           MySQL module for php5
ii  php5-snmp              5.3.2-1           SNMP module for php5
ii  rrdtool                1.4.3-1           time-series data storage
and displ
ii  snmp                   5.4.2.1~dfsg-5+b1 SNMP (Simple Network
Management Pr
ii  ucf                    3.0025            Update Configuration File:
preserv

Versions of packages cacti recommends:
ii  iputils-ping                3:20100214-1 Tools to test the
reachability of 
ii  logrotate                   3.7.8-6      Log rotation utility
ii  mysql-server-5.1 [mysql-ser 5.1.45-1     MySQL database server
binaries

Versions of packages cacti suggests:
pn  php5-ldap                     <none>     (no description available)

-- debconf information:
  cacti/password-confirm: (password omitted)
  cacti/app-password-confirm: (password omitted)
  cacti/mysql/admin-pass: (password omitted)
  cacti/mysql/app-pass: (password omitted)
  cacti/db/app-user: cacti
  cacti/mysql/admin-user: root
* cacti/webserver: Apache2
  cacti/mysql/method: unix socket
  cacti/remote/host:
  cacti/upgrade-error: abort
  cacti/dbconfig-upgrade: true
  cacti/internal/skip-preseed: false
  cacti/remote/newhost:
  cacti/purge: false
  cacti/missing-db-package-error: abort
  cacti/database-type: mysql
  cacti/remove-error: abort
  cacti/db/dbname: cacti
  cacti/upgrade-backup: true
  cacti/install-error: abort
  cacti/internal/reconfiguring: false
  cacti/passwords-do-not-match:
  cacti/dbconfig-remove:
* cacti/dbconfig-install: true
  cacti/remote/port:
  cacti/dbconfig-reinstall: false




Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#566609; Package cacti. (Fri, 15 Apr 2011 16:18:03 GMT) (full text, mbox, link).


Acknowledgement sent to Francois Beaulieu <francois.beaulieu@securebyknowledge.com>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Fri, 15 Apr 2011 16:18:03 GMT) (full text, mbox, link).


Message #15 received at 566609@bugs.debian.org (full text, mbox, reply):

From: Francois Beaulieu <francois.beaulieu@securebyknowledge.com>
To: "566609@bugs.debian.org" <566609@bugs.debian.org>
Subject: Re: Logs are filling up with suhosin alerts about cacti trying to increase memory_limit
Date: Fri, 15 Apr 2011 12:08:20 -0400
[Message part 1 (text/plain, inline)]
This isn't a suhosin bug, as it is simply doing what it is supposed to be doing.

The log mesages can be fixed by changing the memory_limit in /etc/php5/cli/php.ini to a hard limit above 512M, or it can be fixed by changing the suhosin.memory_limit to 512M or more. (Or by uninstalling php5-suhosin...)

The root cause of this problem is that php5-common recommends the installation of php5-suhosin while at the same time setting the memory_limit in /etc/php5/cli/php.ini to -1 and setting the suhosin.memory_limit to 0 by default. These settings are mutually incompatible. I suggest you file a bug on php5-common, but I presume that it will be filed as WontFix based on this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582384

--
François Beaulieu, CISSP
Conseiller principal / Senior Consultant
Secure by Knowledge
+1 (514) 667-0691 ext 2061
francois.beaulieu@securebyknowledge.com<mailto:francois.beaulieu@securebyknowledge.com>

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Sean Finney <seanius@debian.org>:
Bug#566609; Package cacti. (Fri, 15 Apr 2011 19:45:03 GMT) (full text, mbox, link).


Acknowledgement sent to Francois Beaulieu <francois.beaulieu@securebyknowledge.com>:
Extra info received and forwarded to list. Copy sent to Sean Finney <seanius@debian.org>. (Fri, 15 Apr 2011 19:45:03 GMT) (full text, mbox, link).


Message #20 received at 566609@bugs.debian.org (full text, mbox, reply):

From: Francois Beaulieu <francois.beaulieu@securebyknowledge.com>
To: "566609@bugs.debian.org" <566609@bugs.debian.org>
Subject: Re: Bug#566609: Logs are filling up with suhosin alerts about cacti trying to increase memory_limit
Date: Fri, 15 Apr 2011 15:38:55 -0400
[Message part 1 (text/plain, inline)]
More precisely, I believe the proper fix would be to set the memory_limit in /etc/php5/cli/php.ini to a proper system-wide value (not -1), and to add "--define suhosin.memory_limit=512M" to the cacti poller command in /etc/cron.d/cacti.

--
François Beaulieu, CISSP
Conseiller principal / Senior Consultant
Secure by Knowledge
+1 (514) 667-0691 ext 2061
francois.beaulieu@securebyknowledge.com<mailto:francois.beaulieu@securebyknowledge.com>

On 2011-04-15, at 12:08 PM, Francois Beaulieu wrote:


This isn't a suhosin bug, as it is simply doing what it is supposed to be doing.

The log mesages can be fixed by changing the memory_limit in /etc/php5/cli/php.ini to a hard limit above 512M, or it can be fixed by changing the suhosin.memory_limit to 512M or more. (Or by uninstalling php5-suhosin...)

The root cause of this problem is that php5-common recommends the installation of php5-suhosin while at the same time setting the memory_limit in /etc/php5/cli/php.ini to -1 and setting the suhosin.memory_limit to 0 by default. These settings are mutually incompatible. I suggest you file a bug on php5-common, but I presume that it will be filed as WontFix based on this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582384

--
François Beaulieu, CISSP
Conseiller principal / Senior Consultant
Secure by Knowledge
+1 (514) 667-0691 ext 2061
francois.beaulieu@securebyknowledge.com<mailto:francois.beaulieu@securebyknowledge.com>


[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#566609; Package cacti. (Mon, 09 Apr 2012 11:06:14 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Gevers <paul@climbing.nl>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Mon, 09 Apr 2012 11:06:18 GMT) (full text, mbox, link).


Message #25 received at 566609@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <paul@climbing.nl>
To: control@bugs.debian.org, 566609@bugs.debian.org
Subject: bug not in cacti
Date: Mon, 09 Apr 2012 13:03:13 +0200
[Message part 1 (text/plain, inline)]
clone 566609 -1
reassign -1 php5-cli
retitle -1 provide proper memory_limit in /etc/php5/cli/php.ini
retitle 566609 add suhosin.memory_limit in /etc/cron.d/cacti
thanks

Sorry for not responding for such a long time.

Question, does this "--define suhosin.memory_limit=512M" also work if
php5-suhosin is not installed? I.e. does it break systems that don't use it?

Paul

[signature.asc (application/pgp-signature, attachment)]

Bug 566609 cloned as bug 668157 Request was from Paul Gevers <paul@climbing.nl> to control@bugs.debian.org. (Mon, 09 Apr 2012 11:06:28 GMT) (full text, mbox, link).


Changed Bug title to 'add suhosin.memory_limit in /etc/cron.d/cacti' from '[cacti] Logs are filling up with suhosin alerts about cacti trying to increase memory_limit' Request was from Paul Gevers <paul@climbing.nl> to control@bugs.debian.org. (Mon, 09 Apr 2012 11:06:31 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#566609; Package cacti. (Tue, 01 May 2012 16:00:03 GMT) (full text, mbox, link).


Acknowledgement sent to Francois Beaulieu <francois.beaulieu@securebyknowledge.com>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Tue, 01 May 2012 16:00:03 GMT) (full text, mbox, link).


Message #34 received at 566609@bugs.debian.org (full text, mbox, reply):

From: Francois Beaulieu <francois.beaulieu@securebyknowledge.com>
To: Paul Gevers <paul@climbing.nl>, "566609@bugs.debian.org" <566609@bugs.debian.org>
Cc: "control@bugs.debian.org" <control@bugs.debian.org>
Subject: Re: Bug#566609: bug not in cacti
Date: Tue, 1 May 2012 11:51:55 -0400
[Message part 1 (text/plain, inline)]
Hi Paul,

I've confirmed that cacti continues to work with "--define suhosin.memory_limit=512M" specified and php5-suhosin uninstalled. There seems to be no negative impact on having it specified when not using suhosin.

However, I've determined that for all error messages to disappear, you must make three changes:

- Set memory_limit to a reasonable value (like 128M) in /etc/php5/cli/php.ini, it cannot be "-1".
- Modify /etc/cron.d/cacti to look like this:
"*/1 * * * * www-data php --define suhosin.memory_limit=512M /usr/share/cacti/site/poller.php >/dev/null 2>/var/log/cacti/poller-error.log"
- and modify /usr/share/cacti/site/poller.php, line 297 to look like this:
"$extra_args     = "-q --define suhosin.memory_limit=512M \"" . $config["base_path"] . "/cmd.php\"";"

Thanks,

[cid:3397740431_6573995]
François Beaulieu
1194 Stanley
Montréal (Québec) H3B 2S7
Bureau: 514.667.0691 poste 2061
Courriel: francois.beaulieu@securebyknowledge.com<mailto:francois.beaulieu@securebyknowledge.com> | Web: www.securebyknowledge.com<http://www.securebyknowledge.com/>

On 2012-04-09, at 7:03 AM, Paul Gevers wrote:

clone 566609 -1
reassign -1 php5-cli
retitle -1 provide proper memory_limit in /etc/php5/cli/php.ini
retitle 566609 add suhosin.memory_limit in /etc/cron.d/cacti
thanks

Sorry for not responding for such a long time.

Question, does this "--define suhosin.memory_limit=512M" also work if
php5-suhosin is not installed? I.e. does it break systems that don't use it?

Paul


[Message part 2 (text/html, inline)]
[image.png (image/png, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#566609; Package cacti. (Tue, 01 May 2012 17:03:03 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Gevers <paul@climbing.nl>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Tue, 01 May 2012 17:03:03 GMT) (full text, mbox, link).


Message #39 received at 566609@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <paul@climbing.nl>
To: 566609@bugs.debian.org
Subject: Re: [Pkg-cacti-maint] Bug#566609: bug not in cacti
Date: Tue, 01 May 2012 18:52:08 +0200
[Message part 1 (text/plain, inline)]
François,

> However, I've determined that for all error messages to disappear, you
> must make three changes:
> 
> - Set memory_limit to a reasonable value (like 128M) in
> /etc/php5/cli/php.ini, it cannot be "-1".

This should be done by php5-cli in bug 668157 [1]

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668157

> - Modify /etc/cron.d/cacti to look like this:
> "*/1 * * * * www-data php *--define suhosin.memory_limit=512M*
> /usr/share/cacti/site/poller.php >/dev/null
> 2>/var/log/cacti/poller-error.log"

I will add this for the next upload of cacti.

> - and modify /usr/share/cacti/site/poller.php, line 297 to look like this:
> "$extra_args     = "-q *--define suhosin.memory_limit=512M* \"" .
> $config["base_path"] . "/cmd.php\"";"

Could you please fill an issue for this upstream at [2]? I don't think
so, or is this really a Debian issue?

[2] http://bugs.cacti.net/

Paul

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#566609; Package cacti. (Tue, 01 May 2012 17:36:13 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Gevers <paul@climbing.nl>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Tue, 01 May 2012 17:36:13 GMT) (full text, mbox, link).


Message #44 received at 566609@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <paul@climbing.nl>
To: 566609@bugs.debian.org
Subject: Re: Bug#566609: [Pkg-cacti-maint] Bug#566609: bug not in cacti
Date: Tue, 01 May 2012 19:34:29 +0200
[Message part 1 (text/plain, inline)]
>> This should be done by php5-cli in bug 668157 [1]
> 
> Agreed! But, historically, this type of request has been filed as WONTFIX.

Than there is nothing we can do. We as the cacti maintainers can not
change /etc/php5/cli/php.ini

> It's somewhat specific to Debian, as it is Debian that auto-installs
> php5-suhosin with php.

Ok. But I suggest you still try as there may be more distributions
having this issue and also users that are using php5-suhosin themselves.
If the answer is no, than I guess we will have to patch this
indefinitely, which we will by the way.

Paul
PS, please respond to the bug report. There is no need to e-mail me
privately. If you don't want to go through the bts, please use the
pkg-cacti-maint e-mail address.

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#566609; Package cacti. (Wed, 02 May 2012 23:21:03 GMT) (full text, mbox, link).


Acknowledgement sent to Francois Beaulieu <francois.beaulieu@securebyknowledge.com>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Wed, 02 May 2012 23:21:03 GMT) (full text, mbox, link).


Message #49 received at 566609@bugs.debian.org (full text, mbox, reply):

From: Francois Beaulieu <francois.beaulieu@securebyknowledge.com>
To: Paul Gevers <paul@climbing.nl>, "566609@bugs.debian.org" <566609@bugs.debian.org>
Subject: Re: Bug#566609: [Pkg-cacti-maint] Bug#566609: bug not in cacti
Date: Wed, 2 May 2012 19:18:57 -0400
[Message part 1 (text/plain, inline)]
It appears to be solved upstream:

http://bugs.cacti.net/view.php?id=1583

François Beaulieu

On 2012-05-01, at 1:34 PM, Paul Gevers wrote:

It's somewhat specific to Debian, as it is Debian that auto-installs
php5-suhosin with php.

Ok. But I suggest you still try as there may be more distributions
having this issue and also users that are using php5-suhosin themselves.
If the answer is no, than I guess we will have to patch this
indefinitely, which we will by the way.

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#566609; Package cacti. (Thu, 03 May 2012 16:45:03 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Gevers <paul@climbing.nl>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Thu, 03 May 2012 16:45:03 GMT) (full text, mbox, link).


Message #54 received at 566609@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <paul@climbing.nl>
To: "566609@bugs.debian.org" <566609@bugs.debian.org>
Subject: Re: Bug#566609: [Pkg-cacti-maint] Bug#566609: bug not in cacti
Date: Thu, 03 May 2012 18:42:21 +0200
[Message part 1 (text/plain, inline)]
On 03-05-12 00:38, Francois Beaulieu wrote:
>> It appears to be solved upstream:

Which part?

>> http://bugs.cacti.net/view.php?id=1583

This change (revision 5717) never made it completely to the 0.8.X branch
and remained in main. They did make nearly the same change to the 0.8.7
branch in revision 5743 (April 2010), without the configuration part.

So I wonder:
- on which version of cacti did you do your verifications?
- do we still need the --define suhosin.memory_limit lines, even if a
proper memory_limit is set by cacti's scripts? As I understand it, yes,
or are those suhosin limits taken from the php memory_limit?

Paul

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#566609; Package cacti. (Thu, 03 May 2012 18:06:03 GMT) (full text, mbox, link).


Acknowledgement sent to Francois Beaulieu <francois.beaulieu@securebyknowledge.com>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Thu, 03 May 2012 18:06:03 GMT) (full text, mbox, link).


Message #59 received at 566609@bugs.debian.org (full text, mbox, reply):

From: Francois Beaulieu <francois.beaulieu@securebyknowledge.com>
To: Paul Gevers <paul@climbing.nl>, "566609@bugs.debian.org" <566609@bugs.debian.org>
Subject: Re: Bug#566609: [Pkg-cacti-maint] Bug#566609: bug not in cacti
Date: Thu, 3 May 2012 14:02:22 -0400
[Message part 1 (text/plain, inline)]


On 2012-05-03, at 12:42 PM, Paul Gevers wrote:

On 03-05-12 00:38, Francois Beaulieu wrote:
It appears to be solved upstream:

Which part?

I have not had a chance to verify it personally, but they seem to no longer use ini_set within cmd.php or other cacti php scripts, according to the notes. This would mean that we would not need to modify the scripts to add --define suhosin.memory_limit to script calls.

http://bugs.cacti.net/view.php?id=1583

This change (revision 5717) never made it completely to the 0.8.X branch
and remained in main. They did make nearly the same change to the 0.8.7
branch in revision 5743 (April 2010), without the configuration part.

Has it made it into v0.8.8? The case notes certainly indiciate that it did.

- on which version of cacti did you do your verifications?

I have not tested against any versions other than the v0.8.7g provided by Debian.

- do we still need the --define suhosin.memory_limit lines, even if a
proper memory_limit is set by cacti's scripts? As I understand it, yes,
or are those suhosin limits taken from the php memory_limit?

We will need to define suhosin.memory_limit in all versions that don't include the fix. From my understanding of the fix, users may also need to add it manually to the scripts in the fixed version if they define a non-standard memory_limit in config.pgp. However, since by default the memory_limit will be fixed to 512M globally, no script will use ini_set to increase its memory, and suhosin will thus no longer complain even when suhosin.memory_limit isn't defined. This is my understanding, but is untested, so it may be wrong. (I have no time to set up and est a non-debian version right now.)

Thanks,
François Beaulieu
Courriel: francois.beaulieu@securebyknowledge.com<mailto:francois.beaulieu@securebyknowledge.com> | Web: www.securebyknowledge.com<http://www.securebyknowledge.com/>

[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#566609; Package cacti. (Thu, 03 May 2012 18:39:06 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Gevers <paul@climbing.nl>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Thu, 03 May 2012 18:39:06 GMT) (full text, mbox, link).


Message #64 received at 566609@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <paul@climbing.nl>
To: "Bug 566609" <566609@bugs.debian.org>
Subject: Re: Bug#566609: [Pkg-cacti-maint] Bug#566609: bug not in cacti
Date: Thu, 03 May 2012 20:28:29 +0200
[Message part 1 (text/plain, inline)]
> I have not had a chance to verify it personally, but they seem to no
> longer use ini_set within cmd.php or other cacti php scripts, according
> to the notes. This would mean that we would not need to modify the
> scripts to add --define suhosin.memory_limit to script calls.
> 
>>>> http://bugs.cacti.net/view.php?id=1583
>>
>> This change (revision 5717) never made it completely to the 0.8.X branch
>> and remained in main. They did make nearly the same change to the 0.8.7
>> branch in revision 5743 (April 2010), without the configuration part.
> 
> Has it made it into v0.8.8? The case notes certainly indiciate that it did.

(My typo, the original revision was 5617 [1])

Well, the biggest part went into 0.8.7something, except for the
possibility to configure the limit and the fact that the ini_set was
done in global.php instead of the two last scripts. Reading from the
diffs, there are two scripts left that use ini_set:

paul@stromboli ~/cacti/cacti $ grep -n ini_set\(\"memory_limit *
cmd.php:64:ini_set("memory_limit", "512M");
poller.php:211:ini_set("memory_limit", "512M");

> I have not tested against any versions other than the v0.8.7g provided
> by Debian.

The "changes" were already included in that version. So your tests are
the same for 0.8.8.

> We will need to define suhosin.memory_limit in all versions that don't
> include the fix. From my understanding of the fix, users may also need
> to add it manually to the scripts in the fixed version if they define a
> non-standard memory_limit in config.pgp. However, since by default the
> memory_limit will be fixed to 512M globally, no script will use ini_set
> to increase its memory, and suhosin will thus no longer complain even
> when suhosin.memory_limit isn't defined. This is my understanding, but
> is untested, so it may be wrong. (I have no time to set up and est a
> non-debian version right now.)

See my comments above. But even if global.php would set the
memory_limit, the issue would still be there wouldn't it? I.e. asking
the cacti developers to port the changes in 5617 wouldn't really help
anyway.

By the way, from your proposed solution: the fact that a php script can
call (via command line) an other php script while setting the
suhosin.memory_limit defeats the purpose of suhosin quite a bit, doesn't
it? Seems like a hole in the system.

Paul

[1] http://svn.cacti.net/viewvc?view=rev&revision=5617

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>:
Bug#566609; Package cacti. (Thu, 03 May 2012 19:15:06 GMT) (full text, mbox, link).


Acknowledgement sent to Francois Beaulieu <francois.beaulieu@securebyknowledge.com>:
Extra info received and forwarded to list. Copy sent to Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>. (Thu, 03 May 2012 19:15:06 GMT) (full text, mbox, link).


Message #69 received at 566609@bugs.debian.org (full text, mbox, reply):

From: Francois Beaulieu <francois.beaulieu@securebyknowledge.com>
To: Paul Gevers <paul@climbing.nl>, "566609@bugs.debian.org" <566609@bugs.debian.org>
Subject: Re: Bug#566609: [Pkg-cacti-maint] Bug#566609: bug not in cacti
Date: Thu, 3 May 2012 15:13:24 -0400
[Message part 1 (text/plain, inline)]
On 2012-05-03, at 2:28 PM, Paul Gevers wrote:

Well, the biggest part went into 0.8.7something, except for the
possibility to configure the limit and the fact that the ini_set was
done in global.php instead of the two last scripts.

The part that was left out is the only important part, in regards to this bug...

Reading from the
diffs, there are two scripts left that use ini_set:

Which are the same two that I my proposed fix modifies by hand.

See my comments above. But even if global.php would set the
memory_limit, the issue would still be there wouldn't it? I.e. asking
the cacti developers to port the changes in 5617 wouldn't really help
anyway.

That depends entirely on how it is implemented. It all boils down to: do the individual scripts still call ini_set to change their memory_limit themselves. If so, then we still need to define suhosin.memory_limit. If not, then suhosin won't complain: it only complains when a script tries to increase it's memory limit mid-run.

By the way, from your proposed solution: the fact that a php script can
call (via command line) an other php script while setting the
suhosin.memory_limit defeats the purpose of suhosin quite a bit, doesn't
it? Seems like a hole in the system.

That's a whole different argument. Most people don't seem to find the suhosin patch to be particularly useful... It appears to be quite a kludge. Don't know if my fix uses a "hole" per se; I assume that the suhosin devs feel that suhosin is meant only to protect against misbehaving scripts and external attacks. If a user is able to modify the script or call them from the command line, then all bets are off and suhosin is useless anyways.

François Beaulieu
Courriel: francois.beaulieu@securebyknowledge.com<mailto:francois.beaulieu@securebyknowledge.com> | Web: www.securebyknowledge.com<http://www.securebyknowledge.com/>
[Message part 2 (text/html, inline)]

Reply sent to Paul Gevers <paul@climbing.nl>:
You have taken responsibility. (Sat, 19 May 2012 10:06:17 GMT) (full text, mbox, link).


Notification sent to David Herbert <david@deadbattery.co.uk>:
Bug acknowledged by developer. (Sat, 19 May 2012 10:06:23 GMT) (full text, mbox, link).


Message #74 received at 566609-close@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <paul@climbing.nl>
To: 566609-close@bugs.debian.org
Subject: Bug#566609: fixed in cacti 0.8.8a-2
Date: Sat, 19 May 2012 10:02:14 +0000
Source: cacti
Source-Version: 0.8.8a-2

We believe that the bug you reported is fixed in the latest version of
cacti, which is due to be installed in the Debian FTP archive:

cacti_0.8.8a-2.debian.tar.gz
  to main/c/cacti/cacti_0.8.8a-2.debian.tar.gz
cacti_0.8.8a-2.dsc
  to main/c/cacti/cacti_0.8.8a-2.dsc
cacti_0.8.8a-2_all.deb
  to main/c/cacti/cacti_0.8.8a-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 566609@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Gevers <paul@climbing.nl> (supplier of updated cacti package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 19 May 2012 07:56:04 +0200
Source: cacti
Binary: cacti
Architecture: source all
Version: 0.8.8a-2
Distribution: unstable
Urgency: low
Maintainer: Cacti Maintainer <pkg-cacti-maint@lists.alioth.debian.org>
Changed-By: Paul Gevers <paul@climbing.nl>
Description: 
 cacti      - web interface for graphing of monitoring systems
Closes: 566609
Changes: 
 cacti (0.8.8a-2) unstable; urgency=low
 .
   * Use ts to timestamp poller errors in cron when available and add moreutils
     to suggests.
   * Add suhosin.memory_limit to cron and poller (Closes: #566609)
   * Add dependency on ${perl:Depends} as the dependency on perl was missing
   * Use a template based on config.php for debian.php creation to include
     non-database options and get rid of 01_config.php.patch by creating link
     to debian.php instead. Update two dependent patches.
   * Add different sub folders to local resource in d/dirs
   * Add cacti.sql_ensure_cron_works.patch to prevent failure of crontab after
     install as the paths to rrdtool and php are not set.
   * Add cacti.sql_drop_tables_to_begin.patch patch to work around bug 665742
     where dbconfig-common does not drop the tables during reconfigure so we have
     to do it on population of the database to prevent errors.
   * Update d/copyright to include proper license info for jscalendar and
     treeview (this last one needs action). Also update Cacti's license as it
     has been GPL-2+ all along.
   * Readded debconf question option for lighttpd lost in commit 98fed9b while
     preventing the need to call for new translations. Use lower-case apache2 and
     lighttpd as package names at the same time.
   * Update 08_563955_local_data_id.patch with upstream bug number
   * Improve rra removal on purge (one higher level directory) in postrm
Checksums-Sha1: 
 71e04c2ba84a17471e8c86d456801a8cfdae9395 1322 cacti_0.8.8a-2.dsc
 8a6cf1580b8bccfca65fa8985c3f28d2eaa87f46 47083 cacti_0.8.8a-2.debian.tar.gz
 3f057d5b0f198fe0126b04af58c4fdf4ac28f293 2090584 cacti_0.8.8a-2_all.deb
Checksums-Sha256: 
 3c981350fc540f36be3ebf5ec3e84d5e88adf3d5dd99a6a7f6d15b1ec18acafd 1322 cacti_0.8.8a-2.dsc
 d9437e8e7472d79a24a7acf4c6458909086919bc9d9f31c0ebcfc753777a335c 47083 cacti_0.8.8a-2.debian.tar.gz
 7e40e6df8fd5dc77d87a4c6bfad77091e9411203a121cf0177edd5f632f16190 2090584 cacti_0.8.8a-2_all.deb
Files: 
 eefec1c26831be3b2d744b84e1a2a4b3 1322 web extra cacti_0.8.8a-2.dsc
 3127bcbfad9152367ffb5e96d1598c08 47083 web extra cacti_0.8.8a-2.debian.tar.gz
 71ca0b3663734ab60c37d9de99c84438 2090584 web extra cacti_0.8.8a-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk+3ZsMACgkQHNUte6r+CGom2ACfQ4VOiEt/lCtq/yqED2/l5K0x
e0QAn3/usNkkjg/atrIIrBqyEKeRc8KE
=Z+XF
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2012 07:34:44 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 01:13:58 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.