On Fri, 1 Jun 2018 18:46:25 +0100, Stuart Henderson
<stu@spacehopper.org> wrote:
> Thanks - this is a common problem with many PHP apps rather than being
> specific to nextcloud/owncloud. Rather than repeating it all over the
> place I've just added a section to the pkg-readme for PHP that
> explains this.
Great! Would you mind documenting the creation of *random devices?
Feel free to take the diff and commit on my behalf if you agree (I'm
sure you'll want to change some wordings ;)). I'm don't know if we need
to document for null and zero as well.
Cheers,
Daniel
Index: 5.6/Makefile
===================================================================
RCS file: /cvs/ports/lang/php/5.6/Makefile,v
retrieving revision 1.74
diff -u -p -r1.74 Makefile
--- 5.6/Makefile 1 Jun 2018 18:01:13 -0000 1.74
+++ 5.6/Makefile 1 Jun 2018 19:30:53 -0000
@@ -4,7 +4,7 @@ BROKEN-alpha= pcre_jit_compile.c:65:2: e
PV= 5.6
V= ${PV}.36
-REVISION= 6
+REVISION= 7
MASTER_SITES0= https://download.suhosin.org/
Index: 7.0/Makefile
===================================================================
RCS file: /cvs/ports/lang/php/7.0/Makefile,v
retrieving revision 1.57
diff -u -p -r1.57 Makefile
--- 7.0/Makefile 1 Jun 2018 18:01:13 -0000 1.57
+++ 7.0/Makefile 1 Jun 2018 19:30:53 -0000
@@ -2,7 +2,7 @@
PV= 7.0
V= ${PV}.30
-REVISION= 6
+REVISION= 7
BUILD_DEPENDS+= devel/bison
Index: files/README-main
===================================================================
RCS file: /cvs/ports/lang/php/files/README-main,v
retrieving revision 1.5
diff -u -p -r1.5 README-main
--- files/README-main 1 Jun 2018 17:45:19 -0000 1.5
+++ files/README-main 1 Jun 2018 19:30:53 -0000
@@ -115,15 +115,32 @@ you can use these shell commands:
After enabling or disabling extensions (or otherwise modifying php's
configuration), use rcctl(8) to restart php${SV}_fpm or Apache.
-TLS Connections from PHP
-========================
+Files restriction because of the chroot jail
+============================================
The chroot jail commonly used with PHP on OpenBSD restricts access to
-files outside of /var/www. If using PHP software which makes an
outgoing -TLS connection, you will need to copy in the relevant root
certificates -in order that server certificates can be verified:
+files outside of /var/www.
+
+TLS Connections from PHP
+------------------------
+If using PHP software which makes an outgoing TLS connection, you will
+need to copy in the relevant root certificates in order that server
+certificates can be verified:
# mkdir -p ${CHROOT_DIR}/etc/ssl
# install -m 444 -o root -g bin /etc/ssl/cert.pem
${CHROOT_DIR}/etc/ssl/cert.pem
As this file is updated from time to time, you might like to add the
"install" line to /etc/rc.local.
+
+Random devices
+--------------
+Some PHP software need to access device special files to get entropy.
+To create such a device, you can use mknod(1):
+
+ # mkdir -p ${CHROOT_DIR}/dev
+ # mknod -m 644 urandom 45 0
+ # mknod -m 644 srandom 45 1
+ # ln -s ${CHROOT_DIR}/dev/urandom ${CHROOT_DIR}/dev/{a,}random
+
+Please note this requires a partition mounted without the 'nodev'
flags, +thus a dedicated partition is better.
No comments:
Post a Comment