Suhosin

About Suhosin
Suhosin is an advanced protection system for PHP that effectively works to secure your server from known and unknown flaws in PHP applications and the PHP core itself. Suhosin offers two separate installation methods that can in fact be used in combination if a user so wishes. Of these two methods, this article currently only covers installing the PHP extension of Suhosin. The other method involves patching against the PHP core, which implements some low-level buffer overflow protections as well as protection against format string vulnerabilities. If used together, both methods work to create a very powerful and effective protection system for your PHP installation.

Installing Suhosin
Please Note: The installation of Suhosin requires Installing_PHP5 or Installing_PHP4.

If you are unable to do so, then you may not be able to use Suhosin on your DreamHost account.

Below is the install script for the Suhosin PHP module.

Please make sure to run 'dos2unix suhosin_ext.sh' from the shell if you use a Windows-based editor to create this file.

suhosin_ext.sh
set -e
 * 1) !/bin/sh


 * 1) Version 1.0d, 2007-10-05
 * 2) - Updated 2007-09-19 by Chris Shymanik (chris@chipsncheese.com)
 * 3)   - Minor revision 1.0b to fix an end-of-install bug.
 * 4) - Initial Release (2007-05-30)
 * 1) - Initial Release (2007-05-30)
 * 1) - Initial Release (2007-05-30)

SRCDIR=${HOME}/source DISTDIR=${HOME}/dist DISTDEL="Yes" INSTALLDIR=${HOME}/php5 NICE=19
 * 1) User Configuration Options
 * 2) Temporary source directory
 * 1) Download temporary DIST files to which directory?
 * 1) Delete contents of DISTDIR after installation? (Default: Yes)
 * 1) Install Suhosin to which directory?
 * 2) Note: This *MUST* be set to your PHP5 installation directory!
 * 1) Nice Level for Processes. (Depreciated)
 * 2) Higher is nicer, lower is less nice and could get your install process killed!

AUTOCONF="autoconf-2.61" AUTOMAKE="automake-1.10" SUH="suhosin-0.9.20" SUHFEATURES="--prefix=${INSTALLDIR}"
 * 1) Program Version Configuration
 * 2) Don't touch unless you know what you're doing!
 * 1) What features do you want enabled?


 * 1) END User Configuration Options

sleep 1s
 * 1) DO NOT MODIFY BELOW ##########

export PATH=${INSTALLDIR}/bin:$PATH
 * 1) Push the install dir's bin directory into the path

if [ -d ${SRCDIR} ]; then echo "Source directory already exists! Cleaning it..." rm -rf $SRCDIR/* else echo "Creating source directory..." mkdir -p ${SRCDIR} fi if [ -d ${DISTDIR} ]; then echo ""; echo "Distribution directory already exists!"; echo "Clean it?" if [ ${DISTDEL} == "Yes" ] then echo ""; echo "Yes!"; echo "Cleaning now..."; echo "" rm -rf $DISTDIR/* else echo ""; echo "No!"; echo "Leaving the distribution directory intact."; echo "" fi else echo "Creating distribution directory..." mkdir -p ${DISTDIR} fi if [ -d ${INSTALLDIR}/lib/php/extensions ]; then echo "lib/php/extensions folder already exists! Doing nothing..." else mkdir -p ${INSTALLDIR}/lib/php/extensions fi
 * 1) Clear and/or create the source directory.
 * 1) Create the dist files directory if it doesn't exist
 * 2) optionally cleaning it if it does exist already.
 * 1) Make sure the extensions directory exists.

cores=2  # the number of cores/procs to use when building if [ $cores -a $cores -gt 1 ]; then j="-j$cores " fi OS=`uname -s` if [ "Darwin" = $OS ]; then sed=gnused makefile=makefile.macosx else makefile=makefile.linux_x86_ppc_alpha sed=sed fi
 * 1) Detect how many processors the system has (for more optimal compliation).

for i in $sed wget; do		 $i --version >/dev/null 2>&1 done

cd ${DISTDIR} set +e WGETOPT="-t1 -T10 -w5 -q -c"
 * 1) Check if packages already exist and get packages the ones that don't.
 * 1) Do not abort on errors.
 * 1) Wget options

if [ -a ${DISTDIR}/${AUTOCONF}.tar.gz ]; then echo "Skipping wget of ${AUTOCONF}.tar.gz" else wget $WGETOPT ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/distfiles/${AUTOCONF}.tar.gz # If primary mirror fails, use the alternative mirror. if [ -a ${DISTDIR}/${AUTOCONF}.tar.gz ]; then echo "Got ${AUTOCONF}.tar.gz" else wget $WGETOPT ftp://ftp.gnu.org/gnu/autoconf/${AUTOCONF}.tar.gz # Check to make sure the alternative mirror worked. if [ -a ${DISTDIR}/${AUTOCONF}.tar.gz ]; then echo "Got ${AUTOCONF}.tar.gz" else echo "Failed to get ${AUTOCONF}.tar.gz. Aborting install!" exit 0 fi fi fi if [ -a ${DISTDIR}/${AUTOMAKE}.tar.bz2 ]; then echo Skipping wget of ${AUTOMAKE}.tar.bz2 else wget $WGETOPT ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/distfiles/${AUTOMAKE}.tar.bz2 # If primary mirror fails, use the alternative mirror. if [ -a ${DISTDIR}/${AUTOMAKE}.tar.bz2 ]; then echo "Got ${AUTOMAKE}.tar.bz2" else wget $WGETOPT ftp://ftp.gnu.org/gnu/automake/${AUTOMAKE}.tar.bz2 # Check to make sure the alternative mirror worked. if [ -a ${DISTDIR}/${AUTOMAKE}.tar.bz2 ]; then echo "Got ${AUTOMAKE}.tar.bz2" else echo "Failed to get ${AUTOMAKE}.tar.bz2. Aborting install!" exit 0 fi fi fi if [ -a ${DISTDIR}/${SUH}.tgz ]; then echo "Skipping wget of ${SUH}.tgz" else wget $WGETOPT ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/distfiles/${SUH}.tgz # If primary mirror fails, use the alternative mirror. if [ -a ${DISTDIR}/${SUH}.tgz ]; then echo "Got ${SUH}.tgz" else wget $WGETOPT http://www.hardened-php.net/suhosin/_media/${SUH}.tgz # Check to make sure the alternative mirror worked. if [ -a ${DISTDIR}/${SUH}.tgz ]; then echo "Got ${SUH}.tgz" else echo "Failed to get ${SUH}.tgz. Aborting install!" exit 0 fi fi fi
 * 1) Do some of our own error checking here too.

set -e

cd ${SRCDIR} echo "Extracting ${AUTOCONF}..." tar xzf ${DISTDIR}/${AUTOCONF}.tar.gz > /dev/null echo "Done." echo "Extracting ${AUTOMAKE}..." tar xjf ${DISTDIR}/${AUTOMAKE}.tar.bz2 > /dev/null echo "Done." echo "Extracting ${SUH}..." tar xzf ${DISTDIR}/${SUH}.tgz > /dev/null echo "Done."
 * 1) Extract the source files into the source directory.

export PATH=${SRCDIR}/bin:$PATH export PHP_PREFIX=${INSTALLDIR}/bin
 * 1) Required exports

cd ${SRCDIR}/${AUTOCONF} ./configure --prefix=${SRCDIR} nice -n ${NICE} make make install
 * 1) Compile deps and install Suhosin
 * 2) AUTOCONF
 * 1) make clean

cd ${SRCDIR}/${AUTOMAKE} ./configure --prefix=${SRCDIR} nice -n ${NICE} make make install
 * 1) AUTOMAKE
 * 1) make clean

cd ${SRCDIR}/${SUH} $PHP_PREFIX/phpize ./configure ${SUHFEATURES} nice -n ${NICE} make
 * SUH
 * 1) make clean

cp modules/suhosin.so ${INSTALLDIR}/lib/php/extensions/suhosin.so
 * 1) Install Suhosin now by copying the lib file over to the PHP extension dir.

sleep 2s cd ${HOME} && clear
 * 1) Post install clean-up.

rm -rf $SRCDIR if [ ${DISTDEL} == "Yes" ]; then rm -rf $DISTDIR elif [ ${DISTDEL} == "No" ]; then echo "Your DISTDIR will not be cleaned." else echo "Unknown DISTDEL option! Cleaning your DISTDIR by default." fi

echo "Installation completed!" `date +%r`
 * 1) End of Install


 * EOF

php.ini modifications
Locate the following line(s) in your php.ini file: extension_dir = "./" Modify the extension_dir line to look like this, replacing username with the username of your account: extension_dir = "/home/username/php5/lib/php/extensions"
 * Directory in which the loadable extensions (modules) reside.
 * Directory in which the loadable extensions (modules) reside.

Now add the following near the very end of your current php.ini file.

[suhosin] extension="suhosin.so"

Disabling Suhosin
If, for whatever reason, you need Suhosin disabled, you can do so by adding the following PHP.ini modification to your user:

suhosin.simulation=On

Source: