[Pkg-cacti-maint] Bug#566609: Bug#566609: bug not in cacti

Francois Beaulieu francois.beaulieu at securebyknowledge.com
Thu May 3 19:13:24 UTC 2012

On 2012-05-03, at 2:28 PM, Paul Gevers wrote:

Well, the biggest part went into 0.8.7something, except for the
possibility to configure the limit and the fact that the ini_set was
done in global.php instead of the two last scripts.

The part that was left out is the only important part, in regards to this bug...

Reading from the
diffs, there are two scripts left that use ini_set:

Which are the same two that I my proposed fix modifies by hand.

See my comments above. But even if global.php would set the
memory_limit, the issue would still be there wouldn't it? I.e. asking
the cacti developers to port the changes in 5617 wouldn't really help

That depends entirely on how it is implemented. It all boils down to: do the individual scripts still call ini_set to change their memory_limit themselves. If so, then we still need to define suhosin.memory_limit. If not, then suhosin won't complain: it only complains when a script tries to increase it's memory limit mid-run.

By the way, from your proposed solution: the fact that a php script can
call (via command line) an other php script while setting the
suhosin.memory_limit defeats the purpose of suhosin quite a bit, doesn't
it? Seems like a hole in the system.

That's a whole different argument. Most people don't seem to find the suhosin patch to be particularly useful... It appears to be quite a kludge. Don't know if my fix uses a "hole" per se; I assume that the suhosin devs feel that suhosin is meant only to protect against misbehaving scripts and external attacks. If a user is able to modify the script or call them from the command line, then all bets are off and suhosin is useless anyways.

François Beaulieu
Courriel: francois.beaulieu at securebyknowledge.com<mailto:francois.beaulieu at securebyknowledge.com> | Web: www.securebyknowledge.com<http://www.securebyknowledge.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-cacti-maint/attachments/20120503/e943cace/attachment-0001.html>

More information about the Pkg-cacti-maint mailing list