What is suhosin

The last limit is especially important to note asNote that all these protections remain in place, but their defaults are used rather than allowing for specific values, which often provide more protection. Additionally, the patch provides:. DTORS are commonly used as a mechanism for triggering format string injection vulnerability attacks Protection PHP against format string vulnerabilities Protection against some errors in libc realpath implementations. And without the patch these features are not available.

This is a curious circumstance, especially given that these distributions go so far as to include the SELinux. Installing Suhosin on your Red Hat based distribution is relatively painless, and the dividends such an installation pay are by and far away worth any hassle you may encounter.

The advantage in doing this is that you may be able to install a version of PHP that is more current than the latest available in your RPM repositories. The disadvantage is that once you've done this you can't rely on automatic updates to keep your PHP installation current as the new install won't have Suhosin. Make sure before you start down this route that you have the rpm-build package installed.

You can do this using:. Installation on CentOS 5. You can do this by checking the output from:. If you don't have any or all of the packages that you want installed you can use yum to install them. Unfortunately the yum utility cannot be used to install source packages so you have to download them by hand.

You can use the following commands to download the source for php 5. If you encounter warnings about the user or group mockingbird not existing and the rpm using root don't worry, these are not errors.

Once the patch is downloaded you'll want to check the MD5 sum of the patch and compare it to the one listed on the distribution website just to be sure the download hasn't been tampered with. Of course if an attacker compromised the Hardened-PHP web server they could tamper with the patch and modify the published MD5 hash.

Hardened-PHP also publishes a GPG key public key that can be used to verify the patch signature, but again, an attacker who controlled the web server could change that. It's probably sufficient just to check the MD5 hash value.

To download and confirm the MD5 use:. Note that we're also renaming the patch to follow convention:. Next you have to edit the PHP RPM specification file in order to comment out a conflicting package ecalloc and add in the new Suhosin patch. You may get a lot of dependency errors as a result of this command. Go ahead and add the packages using yum and retry if this is the case. In my case this list was quite long so the update was as well:.

More Insider Sign Out. Sign In Register. Sign Out Sign In Register. Latest Insider. Check out the latest Insider stories here. More from the IDG Network. Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind. It is therefore their right to install this patch and configure it any way they like. Suhosin is by no means a requirement for PHP development. You can, and should, learn the PHP best practices so that patches like Suhosin are merely an aid, not a crutch.

Suhosin includes a compatability mode called suhosin. This will log, but not block, the execution of things that Suhosin finds objectionable. You can use this mode to determine whether or not Suhosin works for your application and what restrictions will affect you.

No matter what the issues are, they can be fixed. You can begin to shed light on these issues with my handy checklist. Plus, I'll help you with strategies to approach the issues at the organization level and "punch above your weight. Might also be worth mentioning the session data encryption on this as well Brandon, simplest case of this not working is flash uploaders — you will run into issues with encrypted sessions and flash doing http requests This is a common problem in magento for example.

First of all Suhosin is a 2 part system. That means there is a patch and an extension that can be used alone or together.

The difference is that the patch implements low level security while the extension implements high level security. That said in most cases only the suhosin patch is activated by default which adds protections around PHP internal functions. If PHP scripts break with only Suhosin patch applied this means they ultimatively suck, because they trigger memory corruption problems within PHP. If these scripts work with standard PHP and do not crash then you are simply lucky.

The right way here would be to track down the memory corruption inside PHP and fix it. So all the features you discuss are within the Suhosin extension that is NOT installed by default in many places. So if you want your application to work with new PHP you have to fix that anyway.