PHP: zts or not? (SourceGuardian extension problem)

[axvaster]

Hi Support,

After I upgrade php to 7.2.34 from remi's repo (in order to fulfill the vulnerability assessment)

It turned out that SourceGuardian needs "ixed7.2ts.lin" extension to let httpd work.

Code: Select all

PHP script '/usr/local/nagiosxi/html/includes/dbl.inc.php' is protected by SourceGuardian and requires a SourceGuardian loader 'ixed.7.2ts.lin' to be installed.

1) Click here to download the required 'ixed.7.2ts.lin' loader from the SourceGuardian site
2) Install the loader to /usr/lib64/php-zts/modules
3) Edit /etc/php.ini and add 'extension=ixed.7.2ts.lin' directive
4) Restart the web server

But the php I installed is zts-disabled,

Code: Select all

# php -i | grep Thread
Thread Safety => disabled

which means I can't use the extension with the "ts" (ixed.7.2ts.lin).


But the SourceGuardian seems not work if I set the "ixed.7.2.lin" instead.

Which way should I do? either:
1. reinstall php with zts; but i can't find 7.2.34 with zts version. (from remi's repo)
or
2. how to make SourceGaurdian accept zts-disabled extension? ("ixed.7.2.lin")

Please advise.

Thank you!

[dchurch]

PHP thread safety isn't required for Nagios XI. Ubuntu 18 and CentOS 7 both ship with PHP thread safety disabled both work fine. PHP 7.2 should also work fine.

In your case, you may be able to fix your issue if you simply run these commands as root on the XI system:

Code: Select all

cd /tmp
rm -rf nagiosxi xi*
wget https://assets.nagios.com/downloads/nagiosxi/xi-latest.tar.gz
tar xzf xi-latest.tar.gz
cd nagiosxi
./init.sh
sed -i '/^PHP script/d' xi-sys.cfg
sed -i '/^1)/d' xi-sys.cfg
sed -i '/^2)/d' xi-sys.cfg
sed -i '/^3)/d' xi-sys.cfg
\rm -f /etc/php.d/sourceguardian.ini
\rm -f /usr/lib64/php/modules/ixed*
sed -i 's/ixed.$phpver.lin/ixed.${phpver}ts.lin/' install-sourceguardian-extension.sh
./install-sourceguardian-extension.sh

Let us know if that resolves your issue.

Additionally, I'd like to get some further information on which packages you have installed (I'm unable to replicate it with the same repo):

Code: Select all

rpm -qa | grep -i php

[axvaster]

It doesn't work.

(Note: I am not sure what the script has done, but this XI server is in offline network env)

It is the same as previous message:

PHP is complaining the extension without "ts";

httpd / SourceGuardian are complaining they need extension with "ts".


PHP:

Code: Select all

$ php -v
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/ixed.7.2.lin' (tried: /usr/lib64/php/modules/ixed.7.2.lin (/usr/lib64/php/modules/ixed.7.2.lin: cannot open shared object file: No such file or directory), /usr/lib64/php/modules//usr/lib64/php/modules/ixed.7.2.lin.so (/usr/lib64/php/modules//usr/lib64/php/modules/ixed.7.2.lin.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library 'ixed.7.2ts.lin' (tried: /usr/lib64/php/modules/ixed.7.2ts.lin (/usr/lib64/php/modules/ixed.7.2ts.lin: undefined symbol: core_globals_id), /usr/lib64/php/modules/ixed.7.2ts.lin.so (/usr/lib64/php/modules/ixed.7.2ts.lin.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP 7.2.34 (cli) (built: Sep 30 2020 07:31:56) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.34, Copyright (c) 1999-2018, by Zend Technologies

httpd / SourceGuardian

Code: Select all

PHP script '/usr/local/nagiosxi/html/includes/dbl.inc.php' is protected by SourceGuardian and requires a SourceGuardian loader 'ixed.7.2ts.lin' to be installed.

1) Click here to download the required 'ixed.7.2ts.lin' loader from the SourceGuardian site
2) Install the loader to /usr/lib64/php-zts/modules
3) Edit /etc/php.ini and add 'extension=ixed.7.2ts.lin' directive
4) Restart the web server

Note:
1. I changed the permission -- "chmod +x " to the extension
2. I uncomment the extension declaring line in "/etc/php.ini":

Code: Select all

extension=/usr/lib64/php/modules/ixed.7.2.lin

------

PHP rpms:

Code: Select all

$ rpm -qa |grep -i php
php-fedora-autoloader-1.0.0-1.el7.noarch
php-pdo-7.2.34-1.el7.remi.x86_64
php-devel-7.2.34-1.el7.remi.x86_64
php-gd-7.2.34-1.el7.remi.x86_64
php-snmp-7.2.34-1.el7.remi.x86_64
php-common-7.2.34-1.el7.remi.x86_64
php-cli-7.2.34-1.el7.remi.x86_64
php-mbstring-7.2.34-1.el7.remi.x86_64
php-mysqlnd-7.2.34-1.el7.remi.x86_64
php-xml-7.2.34-1.el7.remi.x86_64
php-process-7.2.34-1.el7.remi.x86_64
php-opcache-7.2.34-1.el7.remi.x86_64
php-pear-1.10.9-3.el7.remi.noarch
php-pecl-ssh2-1.1.2-2.el7.remi.7.2.x86_64
php-json-7.2.34-1.el7.remi.x86_64
oniguruma5php-6.9.5+rev1-3.el7.remi.x86_64
php-pgsql-7.2.34-1.el7.remi.x86_64
php-ldap-7.2.34-1.el7.remi.x86_64
php-7.2.34-1.el7.remi.x86_64

[dchurch]

You shouldn't need to add extension=ixed.7.2.lin to php.ini, as that's already loaded in sourceguardian.ini.

You apparently don't have the non-ts module installed, but your sourceguardian.ini is already set up to load the correct one.

Install the non-ts one by running:

Code: Select all

cd /tmp
rm -rf nagiosxi xi*
wget https://assets.nagios.com/downloads/nagiosxi/xi-latest.tar.gz
tar xzf xi-latest.tar.gz
cd nagiosxi
./init.sh
./install-sourceguardian-extension.sh

[axvaster]

I tried exactly steps you gave; still no luck.

Here are some command output to check if I did anything wrong

Code: Select all

$ cd /tmp/nagiosxi
$ sudo ./init.sh
$
$ sudo ./install-sourceguardian-extension.sh
Archive:  sourceguardian/ixed4.lin.x86-64.zip
  inflating: /usr/lib64/php/modules/ixed.7.2.lin
Sourceguardian extension found for PHP version 7.2
Sourceguardian extension already in php.ini


$ grep ixed /etc/php.ini
$

$ ls -lR /usr/lib64/php* |grep ixed
-rw-r--r-- 1 root root  111080 Apr 21  2020 ixed.7.2.lin

After restart httpd,
the SourceGuardian still complaining the same message like I posted above:

Code: Select all

PHP script '/usr/local/nagiosxi/html/includes/dbl.inc.php' is protected by SourceGuardian and requires a SourceGuardian loader 'ixed.7.2ts.lin' to be installed.

1) Click here to download the required 'ixed.7.2ts.lin' loader from the SourceGuardian site
2) Install the loader to /usr/lib64/php-zts/modules
3) Edit /etc/php.ini and add 'extension=ixed.7.2ts.lin' directive
4) Restart the web server

Please help!

[dchurch]

The lines loading the extension should be in a file called sourceguardian.ini. Here's what it looks like on an Ubuntu 18

Code: Select all

$ grep '^extension=.*ixed' $(find /etc -type f -name '*.ini')
/etc/php/7.2/cli/conf.d/sourceguardian.ini:extension=ixed.7.2.lin
/etc/php/7.2/apache2/conf.d/sourceguardian.ini:extension=ixed.7.2.lin

If the output says e.g. "extension=ixed.7.2ts.lin" it's wrong on those lines, and you can fix it by running the following command:

Code: Select all

sudo sed -i~ -e '/^extension=.*ixed/ { s,ts\.lin,.lin, }' $(find /etc -type f -name 'sourceg*.ini')

[axvaster]

There is only one file here:

Code: Select all

$ grep '^extension=.*ixed' $(find /etc -type f -name '*.ini')
## (permission denied lines are excluded)
/etc/php.d/sourceguardian.ini:extension=ixed.7.2.lin

I have no idea why SourceGuardian is still complaining about it needs the "ts" version but with non-"ts" is set in the sourceguardian.ini file.

Code: Select all

PHP script '/usr/local/nagiosxi/html/includes/dbl.inc.php' is protected by SourceGuardian and requires a SourceGuardian loader 'ixed.7.2ts.lin' to be installed.

1) Click here to download the required 'ixed.7.2ts.lin' loader from the SourceGuardian site
2) Install the loader to /usr/lib64/php-zts/modules
3) Edit /etc/php.ini and add 'extension=ixed.7.2ts.lin' directive
4) Restart the web server

OS: CentOS Linux release 7.6.1810 (Core)

I didnt change anything but check sourceguardian.ini this time.

So every settings just the same as above...


Note:
I checked the other production Nagios XI server.
Seems their settings are the same.
What else settings can we check to determine this issue?
I am going to send you the profile zip of production server
(I can't download the profile zip on the unnormal one now, since sourceguardian is blocking us to login.)


Please advise!

Thank you!

[ssax]

Now you should run these exact commands again as root because it's saying you need the other version with the ts in the name installed:

Code: Select all

rm -rf nagiosxi xi*
wget https://assets.nagios.com/downloads/nagiosxi/xi-latest.tar.gz
tar xzf xi-latest.tar.gz
cd nagiosxi
./init.sh
sed -i '/^PHP script/d' xi-sys.cfg
sed -i '/^1)/d' xi-sys.cfg
sed -i '/^2)/d' xi-sys.cfg
sed -i '/^3)/d' xi-sys.cfg
\rm -f /etc/php.d/sourceguardian.ini
\rm -f /usr/lib64/php/modules/ixed*
sed -i 's/ixed.$phpver.lin/ixed.${phpver}ts.lin/' install-sourceguardian-extension.sh
./install-sourceguardian-extension.sh

[axvaster]

Hi,

After I tried script you posted, it turned out that php scripts are complaining that they need 'non-ts' version.

And I add 'extension=/usr/lib64/php/modules/ixed.7.2.lin' in the php.ini;

all function started working.

But every php is still complaining about dynamic library issue while running.

something like

Code: Select all

PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20090626/ixed.5.2.lin' - /usr/local/lib/php/extensions/no-debug-non-zts-20090626/ixed.5.2.lin: cannot open shared object file: No such file or directory in Unknown on line 0

(https://stackoverflow.com/questions/528 ... ic-library)

Unfortunately I lost the exact message; and it is not "no such file" issue, either.

I will collect messages when I visit client's env next time.

At least it is running in the Testing Environment, and seems works fine.

Not sure if [we need] or [how] to fix this warning messages.

[ssax]

Adding it to /etc/php.ini will cause issues during upgrades when trying to update the system with new loaders.

What is the output of these commands?

Code: Select all

grep -R 'ixed\|sourceguardian' /etc/php*
ls -l /etc/php.d
ls -l /usr/local/lib/php/extensions

Attach your /etc/php.ini file as well.

Thank you!