introducing suhosin: a security-extension for php

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

introducing suhosin: a security-extension for php

Pierre Schmitz
Hi Archers,

if you are running a web-server with php you might want to have a look at
suhosin. It calls itself an "advanced protection system for PHP".

A lot of the last found holes in PHP and some PHP-applications did not affect
php-installations with suhosin-protection.

You`ll find more information on the following sites:
        http://www.hardened-php.net/suhosin/index.html
        http://www.hardened-php.net/suhosin/a_feature_list.html
        http://www.hardened-php.net/suhosin/why.html
        http://blog.php-security.org/

Yesterday I decided to test this out. Till now it did not break anything and
the protection seems to work. And the best thing is: it is binary-compatible
to existing modules and you do not have a noticeable loss of performance.

Suhosin consists of two independent parts:
1) a patch against php
        http://aur.archlinux.org/packages.php?do_Details=1&ID=7398
2) a php-extension
        http://aur.archlinux.org/packages.php?do_Details=1&ID=7399

If everything works well I`ll put them into community (bcause I`ll build them
anyway)

Pierre

--
http://www.archlinux.de

_______________________________________________
arch mailing list
[hidden email]
http://www.archlinux.org/mailman/listinfo/arch
Reply | Threaded
Open this post in threaded view
|

Re: introducing suhosin: a security-extension for php

Luca Peduto
Hi Pierre,
thank you for these packages; I have installed them today.
Do you know if it possible to disable the safe_mode restriction
without any risks?
The suhosin extension will protect anyway in this case?
Thank you again

Luca

On 05/11/06, Pierre Schmitz <[hidden email]> wrote:

> Hi Archers,
>
> if you are running a web-server with php you might want to have a look at
> suhosin. It calls itself an "advanced protection system for PHP".
>
> A lot of the last found holes in PHP and some PHP-applications did not affect
> php-installations with suhosin-protection.
>
> You`ll find more information on the following sites:
>         http://www.hardened-php.net/suhosin/index.html
>         http://www.hardened-php.net/suhosin/a_feature_list.html
>         http://www.hardened-php.net/suhosin/why.html
>         http://blog.php-security.org/
>
> Yesterday I decided to test this out. Till now it did not break anything and
> the protection seems to work. And the best thing is: it is binary-compatible
> to existing modules and you do not have a noticeable loss of performance.
>
> Suhosin consists of two independent parts:
> 1) a patch against php
>         http://aur.archlinux.org/packages.php?do_Details=1&ID=7398
> 2) a php-extension
>         http://aur.archlinux.org/packages.php?do_Details=1&ID=7399
>
> If everything works well I`ll put them into community (bcause I`ll build them
> anyway)
>
> Pierre
>
> --
> http://www.archlinux.de
>
> _______________________________________________
> arch mailing list
> [hidden email]
> http://www.archlinux.org/mailman/listinfo/arch
>

_______________________________________________
arch mailing list
[hidden email]
http://www.archlinux.org/mailman/listinfo/arch
Reply | Threaded
Open this post in threaded view
|

Re: introducing suhosin: a security-extension for php

Roman Kyrylych
Hi, Pierre!
You may create hardenied-php package as well (PHP + Hardening Patch).

--
Roman Kyrylych (Роман Кирилич)
_______________________________________________
arch mailing list
[hidden email]
http://www.archlinux.org/mailman/listinfo/arch
Reply | Threaded
Open this post in threaded view
|

Re: introducing suhosin: a security-extension for php

Pierre Schmitz
Am Sonntag, 5. November 2006 14:19 schrieb Roman Kyrylych:
> You may create hardenied-php package as well (PHP + Hardening Patch).

suhosin is the successor of hardening-patch. So hardening is obsolete now.

--
http://www.archlinux.de

_______________________________________________
arch mailing list
[hidden email]
http://www.archlinux.org/mailman/listinfo/arch
Reply | Threaded
Open this post in threaded view
|

Re: introducing suhosin: a security-extension for php

Roman Kyrylych
2006/11/5, Pierre Schmitz <[hidden email]>:
> Am Sonntag, 5. November 2006 14:19 schrieb Roman Kyrylych:
> > You may create hardenied-php package as well (PHP + Hardening Patch).
>
> suhosin is the successor of hardening-patch. So hardening is obsolete now.

Ah, that's even better. :)

--
Roman Kyrylych (Роман Кирилич)
_______________________________________________
arch mailing list
[hidden email]
http://www.archlinux.org/mailman/listinfo/arch
Reply | Threaded
Open this post in threaded view
|

Re: introducing suhosin: a security-extension for php

Pierre Schmitz
In reply to this post by Luca Peduto
Am Sonntag, 5. November 2006 14:04 schrieb Luca Peduto:
> Do you know if it possible to disable the safe_mode restriction
> without any risks?
> The suhosin extension will protect anyway in this case?

I don`t think suhosin and safe_mode have anything in common. Personally I do
not use safe_mode at all. sfae_mode introduces more problems than it solves.
But it might be a good idea on shared hostings.

--
http://www.archlinux.de

_______________________________________________
arch mailing list
[hidden email]
http://www.archlinux.org/mailman/listinfo/arch
Reply | Threaded
Open this post in threaded view
|

Re: introducing suhosin: a security-extension for php

Luca Peduto
Ok, thanks. I need to manage a web server with multiple virtual host and
I agree with you about safe_mode :-)

On 05/11/06, Pierre Schmitz <[hidden email]> wrote:

> I don`t think suhosin and safe_mode have anything in common. Personally I do
> not use safe_mode at all. sfae_mode introduces more problems than it solves.
> But it might be a good idea on shared hostings.
>
> --
> http://www.archlinux.de
>
> _______________________________________________
> arch mailing list
> [hidden email]
> http://www.archlinux.org/mailman/listinfo/arch
>

_______________________________________________
arch mailing list
[hidden email]
http://www.archlinux.org/mailman/listinfo/arch
Reply | Threaded
Open this post in threaded view
|

Re: introducing suhosin: a security-extension for php

Pierre Schmitz
In reply to this post by Pierre Schmitz
Am Sonntag, 5. November 2006 13:26 schrieb Pierre Schmitz:
> If everything works well I`ll put them into community (bcause I`ll build
> them anyway)

OK, both packages are in [community] now. Even if you can use them separate
from each other (stock-php with suhosin-extension is possible) it`s better to
use both.

I added a more usefull php.ini to the package. You`ll have to check if your
apps work correctly. (old php4-stuff probably wont)

php-suhosin is a replacement of php; so pacman saves your current php.ini as
php.ini.pacsave. So you should check if the php.ini which comes with suhosin
fits your needs. (especially all modules are commented out)

If you use php-apc, too (which I would recommend) make sure you enabled the
workaround (see php.ini)

Last but not least: Please read the docu on http://www.suhosin.org and test on
a local webserver before you install suhosin.

--
http://www.archlinux.de

_______________________________________________
arch mailing list
[hidden email]
http://www.archlinux.org/mailman/listinfo/arch