elix
02-20-2007, 06:28 PM
http://www.hardened-php.net/suhosin.127.html
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.
Unlike our Hardening-Patch Suhosin is binary compatible to normal PHP installation, which means it is compatible to 3rd party binary extension like ZendOptimizer.
If you want to read an article about the creator, see here http://www.securityfocus.com/columnists/432
I will cover the installation steps for PHP 4.4.5 w/ the Suhosin patch, but the same idea can be used for other versions. I will continually update this thread as new PHP versions are released.
wget us3.php.net/get/php-4.4.5.tar.gz/from/us2.php.net/mirror
wget elix.us/suhosin-patch-4.4.5-0.9.6.patch.gz
gzip -d suhosin-patch-4.4.5-0.9.6.patch.gz
tar zfx php-4.4.5.tar.gz
cd php*
patch -p 1 -i ../suhosin-patch-*.patch
now grab your configure command with this:
php -i | grep configure
take the actual substance of it (remove the Configure Command => part), and add this: '--enable-suhosin'
so final result may look like this (note this is the command I use, yours may differ);
'./configure' '--with-apxs=/usr/local/apache/bin/apxs' '--prefix=/usr/local' '--with-xml' '--enable-bcmath' '--enable-calendar' '--with-curl' '--enable-exif' '--enable-ftp' '--with-gd' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr' '--with-xpm-dir=/usr/X11R6' '--with-mcrypt' '--enable-magic-quotes' '--with-mysqli' '--with-mysql=/usr' '--with-openssl' '--enable-discard-path' '--with-pear' '--enable-sockets' '--enable-track-vars' '--with-ttf' '--with-freetype-dir=/usr' '--enable-gd-native-ttf' '--with-xmlrpc' '--with-zip' '--with-zlib' '--enable-suhosin'
Now just paste that command into your shell while you're in the PHP src dir (which you should already be)...it will now configure PHP and get you ready to do the general make / make install.
once that's done;
make
make install
Now kill all httpd processes and start it cleanly, this command does the dirty work for you
for i in `pgrep httpd`; do kill -9 $i; done ; service httpd start
now load up a phpinfo page and you will get
This server is protected with the Suhosin Patch 0.9.6
Copyright (c) 2006 Hardened-PHP Project
i am using the default, but there are configuration options here:
http://www.hardened-php.net/suhosin/configuration.html
this may break some apps, but only those that are very poorly coded to begin with and on the whole you really should not have issues. i have done benchmarks with this on and off and there is not much of a performance difference.
enjoy. and do post your experience with it here.
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.
Unlike our Hardening-Patch Suhosin is binary compatible to normal PHP installation, which means it is compatible to 3rd party binary extension like ZendOptimizer.
If you want to read an article about the creator, see here http://www.securityfocus.com/columnists/432
I will cover the installation steps for PHP 4.4.5 w/ the Suhosin patch, but the same idea can be used for other versions. I will continually update this thread as new PHP versions are released.
wget us3.php.net/get/php-4.4.5.tar.gz/from/us2.php.net/mirror
wget elix.us/suhosin-patch-4.4.5-0.9.6.patch.gz
gzip -d suhosin-patch-4.4.5-0.9.6.patch.gz
tar zfx php-4.4.5.tar.gz
cd php*
patch -p 1 -i ../suhosin-patch-*.patch
now grab your configure command with this:
php -i | grep configure
take the actual substance of it (remove the Configure Command => part), and add this: '--enable-suhosin'
so final result may look like this (note this is the command I use, yours may differ);
'./configure' '--with-apxs=/usr/local/apache/bin/apxs' '--prefix=/usr/local' '--with-xml' '--enable-bcmath' '--enable-calendar' '--with-curl' '--enable-exif' '--enable-ftp' '--with-gd' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr' '--with-xpm-dir=/usr/X11R6' '--with-mcrypt' '--enable-magic-quotes' '--with-mysqli' '--with-mysql=/usr' '--with-openssl' '--enable-discard-path' '--with-pear' '--enable-sockets' '--enable-track-vars' '--with-ttf' '--with-freetype-dir=/usr' '--enable-gd-native-ttf' '--with-xmlrpc' '--with-zip' '--with-zlib' '--enable-suhosin'
Now just paste that command into your shell while you're in the PHP src dir (which you should already be)...it will now configure PHP and get you ready to do the general make / make install.
once that's done;
make
make install
Now kill all httpd processes and start it cleanly, this command does the dirty work for you
for i in `pgrep httpd`; do kill -9 $i; done ; service httpd start
now load up a phpinfo page and you will get
This server is protected with the Suhosin Patch 0.9.6
Copyright (c) 2006 Hardened-PHP Project
i am using the default, but there are configuration options here:
http://www.hardened-php.net/suhosin/configuration.html
this may break some apps, but only those that are very poorly coded to begin with and on the whole you really should not have issues. i have done benchmarks with this on and off and there is not much of a performance difference.
enjoy. and do post your experience with it here.