Suhosin

From DreamHost
Revision as of 10:08, 19 September 2007 by Mousee (Talk | contribs)

Jump to: navigation, search

About Suhosin

Suhosin is an advanced protection system for PHP that effectively works to secure your server from known and unknown flaws in PHP applications and the PHP core itself. Suhosin offers two separate installation methods that can in fact be used in combination if a user so wishes. Of these two methods, this article currently only covers installing the PHP extension of Suhosin. The other method involves patching against the PHP core, which implements some low-level buffer overflow protections as well as protection against format string vulnerabilities. If used together, both methods work to create a very powerful and effective protection system for your PHP installation.

Installing Suhosin

The instructions provided in this article or section are considered advanced.

You are expected to be knowledgeable in the UNIX shell.
Support for these instructions is not available from DreamHost tech support.
Server changes may cause this to break. Be prepared to troubleshoot this yourself if this happens.
We seriously aren't kidding about this.

Please Note: The installation of Suhosin requires Installing_PHP5 or Installing_PHP4.
If you are unable to do so, then you may not be able to use Suhosin on your DreamHost account.


Below is the install script for the Suhosin PHP module.
Please make sure to run 'dos2unix suhosin_ext.sh' from the shell if you use a Windows-based editor to create this file.

suhosin_ext.sh

#!/bin/sh
set -e

# Version 1.0b, 2007-09-19
#
# - Updated 2007-09-19 by Chris Shymanik (chris@chipsncheese.com)
#   - Minor revision 1.0b to fix an end-of-install bug.
#
# - Initial Release (2007-05-30)

#### User Configuration Options
# Temporary source directory
SRCDIR=${HOME}/source
# Download temporary DIST files to which directory?
DISTDIR=${HOME}/dist
# Delete contents of DISTDIR after installation? (Default: Yes)
DISTDEL="Yes"
# Install Suhosin to which directory?
# Note: This *MUST* be set to your PHP5 installation directory!
INSTALLDIR=${HOME}/php5/
# Nice Level for Processes. (Depreciated)
# Higher is nicer, lower is less nice and could get your install process killed!
NICE=19

## Program Version Configuration
# Don't touch unless you know what you're doing!
AUTOCONF="autoconf-2.61"
AUTOMAKE="automake-1.10"
SUH="suhosin-0.9.20"
# What features do you want enabled?
SUHFEATURES="--prefix=${INSTALLDIR}"

#### END User Configuration Options

########## DO NOT MODIFY BELOW ##########
sleep 1s

# Push the install dir's bin directory into the path
export PATH=${INSTALLDIR}/bin:$PATH

# Clear and/or create the source directory.
if [[ -d ${SRCDIR} ]]; then
		  echo "Source directory already exists! Cleaning it..."
		  rm -rf $SRCDIR/*
else
		  echo "Creating source directory..."
		  mkdir -p ${SRCDIR}
fi
# Create the dist files directory if it doesn't exist
# optionally cleaning it if it does exist already.
if [[ -d ${DISTDIR} ]]; then
	echo ""; echo "Distribution directory already exists!"; echo "Clean it?"
	if [[ ${DISTDEL} == "Yes" ]]
	then
		echo ""; echo "Yes!"; echo "Cleaning now..."; echo ""
		rm -rf $DISTDIR/*
	else
		echo ""; echo "No!"; echo "Leaving the distribution directory intact."; echo ""
	fi
else
		  echo "Creating distribution directory..."
		  mkdir -p ${DISTDIR}
fi
# Make sure the extensions directory exists.
if [[ -d ${INSTALLDIR}lib/php/extensions ]]; then
		  echo "lib/php/extensions folder already exists! Doing nothing..."
else
		  mkdir -p ${INSTALLDIR}lib/php/extensions
fi

# Detect how many processors the system has (for more optimal compliation).
cores=2   # the number of cores/procs to use when building
if [[ $cores -a $cores -gt 1 ]]; then
		  j="-j$cores "
fi
		  OS=`uname -s`
if [[ "Darwin" = $OS ]]; then
		  sed=gnused
		  makefile=makefile.macosx
else
		  makefile=makefile.linux_x86_ppc_alpha
		  sed=sed
fi

for i in $sed wget; do
		  $i --version >/dev/null 2>&1
done

## Check if packages already exist and get packages the ones that don't.
cd ${DISTDIR}
# Do not abort on errors.
set +e
# Wget options
WGETOPT="-t1 -T10 -w5 -q -c"

# Do some of our own error checking here too.
if [[ -a ${DISTDIR}/${AUTOCONF}.tar.gz ]]; then
		  echo "Skipping wget of ${AUTOCONF}.tar.gz"
else
		  wget $WGETOPT ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/distfiles/

${AUTOCONF}.tar.gz
		  # If primary mirror fails, use the alternative mirror.
		  if [[ -a ${DISTDIR}/${AUTOCONF}.tar.gz ]]; then
			echo "Got ${AUTOCONF}.tar.gz"
		  else
				wget $WGETOPT ftp://ftp.gnu.org/gnu/autoconf/${AUTOCONF}.tar.gz
				# Check to make sure the alternative mirror worked.
				if [[ -a ${DISTDIR}/${AUTOCONF}.tar.gz ]]; then
					echo "Got ${AUTOCONF}.tar.gz"
				else
					echo "Failed to get ${AUTOCONF}.tar.gz. Aborting 

install!"
					exit 0
				fi
		  fi
fi
if [[ -a ${DISTDIR}/${AUTOMAKE}.tar.bz2 ]]; then
		  echo Skipping wget of ${AUTOMAKE}.tar.bz2
else
		  wget $WGETOPT ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/distfiles/

${AUTOMAKE}.tar.bz2
		  # If primary mirror fails, use the alternative mirror.
		  if [[ -a ${DISTDIR}/${AUTOMAKE}.tar.bz2 ]]; then
			echo "Got ${AUTOMAKE}.tar.bz2"
		  else
				wget $WGETOPT ftp://ftp.gnu.org/gnu/automake/${AUTOMAKE}.tar.bz2
				# Check to make sure the alternative mirror worked.
				if [[ -a ${DISTDIR}/${AUTOMAKE}.tar.bz2 ]]; then
					echo "Got ${AUTOMAKE}.tar.bz2"
				else
					echo "Failed to get ${AUTOMAKE}.tar.bz2. Aborting 

install!"
					exit 0
				fi
		  fi
fi
if [[ -a ${DISTDIR}/${SUH}.tgz ]]; then
		  echo "Skipping wget of ${SUH}.tgz"
else
		  wget $WGETOPT ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/distfiles/${SUH}.tgz
		  # If primary mirror fails, use the alternative mirror.
		  if [[ -a ${DISTDIR}/${SUH}.tgz ]]; then
			echo "Got ${SUH}.tgz"
		  else
				wget $WGETOPT http://www.hardened-php.net/suhosin/_media/

${SUH}.tgz
				# Check to make sure the alternative mirror worked.
				if [[ -a ${DISTDIR}/${SUH}.tgz ]]; then
					echo "Got ${SUH}.tgz"
				else
					echo "Failed to get ${SUH}.tgz. Aborting install!"
					exit 0
				fi
		  fi
fi

set -e

# Extract the source files into the source directory.
cd ${SRCDIR}
echo "Extracting ${AUTOCONF}..."
tar xzf ${DISTDIR}/${AUTOCONF}.tar.gz > /dev/null
echo "Done."
echo "Extracting ${AUTOMAKE}..."
tar xjf ${DISTDIR}/${AUTOMAKE}.tar.bz2 > /dev/null
echo "Done."
echo "Extracting ${SUH}..."
tar xzf ${DISTDIR}/${SUH}.tgz > /dev/null
echo "Done."

# Required exports
export PATH=${SRCDIR}/bin:$PATH
export PHP_PREFIX=${INSTALLDIR}/bin

## Compile deps and install Suhosin
#AUTOCONF
cd ${SRCDIR}/${AUTOCONF}
./configure --prefix=${SRCDIR}
# make clean
nice -n ${NICE} make
make install

#AUTOMAKE
cd ${SRCDIR}/${AUTOMAKE}
./configure --prefix=${SRCDIR}
# make clean
nice -n ${NICE} make
make install

#SUH
cd ${SRCDIR}/${SUH}
$PHP_PREFIX/phpize
./configure ${SUHFEATURES}
# make clean
nice -n ${NICE} make

# Install Suhosin now by copying the lib file over to the PHP extension dir.
cp modules/suhosin.so ${INSTALLDIR}lib/php/extensions/suhosin.so

# Post install clean-up.
sleep 2s
cd ${HOME} && clear

rm -rf $SRCDIR
if [[ ${DISTDEL} == "Yes" ]]; then
	rm -rf $DISTDIR
elif [[ ${DISTDEL} == "No" ]]; then
	echo "Your DISTDIR will not be cleaned."
else
	echo "Unknown DISTDEL option! Cleaning your DISTDIR by default."
fi

## End of Install
echo "Installation completed!" `date +%r`

#EOF

php.ini modifications

Locate the following line(s) in your php.ini file:

; Directory in which the loadable extensions (modules) reside.
extension_dir = "./"

Modify the extension_dir line to look like this, replacing username with the username of your account:

; Directory in which the loadable extensions (modules) reside.
extension_dir = "/home/username/php5/lib/php/extensions"


Now add the following near the very end of your current php.ini file.

[suhosin]
extension="suhosin.so"

External Links

Suhosin Homepage