By asb on

When running multiple Drupal sites on on one server, the global settings from php.ini can not suit all needs; e.g. some sites require more, others less memory than the defaults; on Debian "Squeeze", the default PHP memory_limit is set to 128M). For years I'm used to override the global PHP settings in the site-specific ./sites/default/settings.php file. Example:

ini_set('memory_limit',             '200M');

I do not want to raise the global ressource limits to the maximum required by the fattest site because the more ressources a Drupal site consumes, the slower it gets. So I'm happy for every site running properly with 96M, and I'm very happy with the override facility in ./sites/default/settings.php.

However, on recent Debian and Ubuntu releases, the Suhosin patch is enabled by default. This patch identifies settings in ./sites/default/settings.php as "attack", as can be monitored in syslog:

... ALERT - script tried to increase memory_limit to 209715200 bytes which is above the allowed value (attacker '77.xxx.xxx.xxx', file '/var/www/drupal/sites/default/settings.php', line 149)

This is not only annoying as it floods syslog with bogus "attack" alerts, it also forces the PHP settings to the defaults. For whatever reason, adjusting PHP ressource limits in Drupal's ./sites/default/settings.php does not work anymore for me on Debian 6.0 "Squeeze".

Is anyone else experiencing this? Is there a solution?
(btw, the forum at "Hardened PHP Project" is currently down, and the troubleshooting page contains just an ad)

Thx!

Categories: Drupal 6.x

Comments

asb’s picture

asb commented

Note that to have no memory limit, set this directive to -1.

(http://php.net/manual/en/ini.core.php)

glennpratt’s picture

glennpratt commented

Did you try suhosin.memory_limit in php.ini (perhaps you don't have access to this).

This will allow you to set a maximum value that for scripts to use with ini_set.

http://www.hardened-php.net/suhosin/configuration.html#suhosin.memory_limit

asb’s picture

asb commented

This whole Suhosin stuff is crap as there is no sensible way to use it, and the "documentation" sucks big time.

In Debian "Lenny", these settings are located at ./etc/php5/apache2/conf.d/suhosin.ini; suhosin.memory_limit defaults to "0". If you set this to "1024", Syslog immediately starts to emit stuff like:

Oct 13 04:42:02 foo suhosin[8294]: ALERT - script tried to increase memory_limit to 209715200 bytes which is above the allowed value (attacker '12.34.56.78', file '/var/www/drupal/sites/default/settings.php', line 149)

The referenced line 149 in my ./var/www/drupal/sites/default/settings.php reads:

ini_set('memory_limit',             '200M');

So wtf, ist it 200 megs, 1024 megs, 0 megs? What value from which config does count where, and why is this piece of sh** too dumb to distinguish between good code ("whitelist") and a real potential attack? Crap like this makes us numb against real attacks as syslog and other logfiles are constantly flooded with bogus notifications about "attacks" by Drupal core.

Just google a bit, all dynamic software seems to have numerous issues with Suhosin, be it Wordpress or APC. Suhosin stinks.

marcrobinsone’s picture

marcrobinsone commented

For some reason, we've found that using PHP 5.3 for Drupal 7.x solves this problem.

drstuey’s picture

drstuey commented

In fact I have 100,000 lines in my user.log file generated in only 3 days. Lovely.

I'm on PHP Version 5.3.3-7+squeeze14 and Drupal 7.14