Trouble Shooting: “PECL Install Doesn’t Work”

Some users prefer to mount their /tmp directory as noexec for security reasons, but we’ve seen that this can cause a problem for PECL installs. Pointing the PECL temp_dir to a new path gets around this problem.

Now, this isn’t strictly a LiteSpeed issue, but we thought some might find it useful to explore: Whether or not /tmp should be mounted as noexec is a matter of debate. A number of sources suggest that every server running Linux should mount /tmp as nonexecutable to prevent SUID attacks, but some scoff that this only provides false security. No matter what, any security feature is going to have some weaknesses, and it is understandable if a lot of users want to add the noexec option. Most of the time, having /tmp as noexec shouldn’t cause any problems, but recently a user reported this error while trying to do a PECL install for LSPHP (though this would be the same for PHP):

root@cptest [/usr/local/bin]# ./pecl install -n bbcode
downloading bbcode-1.0.2.tgz …
Starting to download bbcode-1.0.2.tgz (46,961 bytes)
………….done: 46,961 bytes

editing service online

7 source files, building
running: phpize
Configuring for:
PHP Api Version:         20100412
Zend Module Api No:      20100525
Zend Extension Api No:   220100525
shtool at ‘/tmp/pear/bbcode/build/shtool’ does not exist or is not executable.
Make sure that the file exists and is executable and then rerun this script.

ERROR: `phpize’ failed

Now, the obvious “solution” to this problem is to make /tmp executable (the command mount -o remount,exec /tmp would work), but that disables any extra security we were hoping to get in the first place. A more appropriate workaround is to point PECL’s temp_dir to a partition or path that allows execution:

mkdir /root/tmp 
pecl config-set temp_dir /root/tmp
or
pear config-set temp_dir /root/tmp

(There is a known bug where pecl config-set does not work but pear config-set does. If this is the case for you, simply use the PEAR config command. PECL will use PEAR when doing the install.)

This workaround preserves any security benefit from having /tmp set as noexec, but also allows PECL installs.

We’d love to hear any comments, questions, or criticisms. Cheers!

Tags: , , ,

Comments are closed.