Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96866
Return-Path: <anatol.php@belski.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 40372 invoked from network); 12 Nov 2016 20:25:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Nov 2016 20:25:26 -0000
Authentication-Results: pb1.pair.com smtp.mail=anatol.php@belski.net; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=anatol.php@belski.net; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain belski.net from 85.214.73.107 cause and error)
X-PHP-List-Original-Sender: anatol.php@belski.net
X-Host-Fingerprint: 85.214.73.107 klapt.com  
Received: from [85.214.73.107] ([85.214.73.107:53364] helo=h1123647.serverkompetenz.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 29/81-31581-6BA77285 for <internals@lists.php.net>; Sat, 12 Nov 2016 15:25:26 -0500
Received: by h1123647.serverkompetenz.net (Postfix, from userid 1006)
	id D5919782D42; Sat, 12 Nov 2016 21:25:22 +0100 (CET)
Received: from w530phpdev (p57A874B9.dip0.t-ipconnect.de [87.168.116.185])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by h1123647.serverkompetenz.net (Postfix) with ESMTPSA id A9FC9782D42;
	Sat, 12 Nov 2016 21:25:20 +0100 (CET)
To: "'Christoph M. Becker'" <cmbecker69@gmx.de>,
	<internals@lists.php.net>
References: <5eea66e9-0e47-852a-8720-7c7a6a0d2224@gmx.de>
In-Reply-To: <5eea66e9-0e47-852a-8720-7c7a6a0d2224@gmx.de>
Date: Sat, 12 Nov 2016 21:25:17 +0100
Message-ID: <0ca201d23d22$e3d623d0$ab826b70$@belski.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGhhl8nlm7vhO4uD7RW7udIH5N6sqE3N2DQ
Content-Language: en-us
Subject: RE: [PHP-DEV] PaX MPROTECT / W^X protection
From: anatol.php@belski.net ("Anatol Belski")

Hi Christoph,

> -----Original Message-----
> From: Christoph M. Becker [mailto:cmbecker69@gmx.de]
> Sent: Friday, November 11, 2016 7:40 PM
> To: internals@lists.php.net
> Subject: [PHP-DEV] PaX MPROTECT / W^X protection
>=20
> Hi!
>=20
> There are currently at least two unresolved tickets[1][2] in our bug =
tracker
> regarding PaX MPROTECT / W^X protection issues with regard to PCRE =
JIT.  The
> problem is that PCRE JIT mmaps W|X pages[3], what is no longer allowed =
on
> several platforms, such as OpenBSD, FreeBSD and SELinux.  It seems =
that there
> are workarounds (e.g. using paxctl to allow W|X mapping[1], or =
mounting with
> wxallowed[4]), but these appear to be very system specific.
>=20
> My best idea to resolve the reports is to document this issue.  Maybe =
somebody
> has a better idea?
>=20
AFM, the linked tickets are not about an issue in PHP. There are just =
systems, or system configurations, that are very security oriented. If =
some feature is disabled on the system level, there's not much PHP can =
do. To compare - it were wrong same way to say atime doesn't work in =
PHP, if indeed a volume is mounted with atime disabled. Any issue, that =
is only to be solved by the system configuration, is a configuration =
issue in the most case. So the documentation is probably the only what =
we can do in the case.

Regrads

Anatol