HomecPanel › Installing Suhosin by Patching PHP Source

Installing Suhosin by Patching PHP Source

October 21, 2009 • By admincPanel

Preparation

When you want to install PHP with the Suhosin-Patch you have to first perform some preparation steps.

Step 1: Installing the Hardened-PHP Project Signaturekey

You should first grab a copy of the Hardened-PHP Project’s Release Signaturekey and import it into your GNU Privacy Guard keychain. (For further information on the usage of gnupg please consult it’s manpage)

#> gpg –import < hardened-php-signature-key.asc
gpg: /root/.gnupg/trustdb.gpg: trust-db erzeugt
gpg: key 0A864AA1: public key “Hardened-PHP Signature Key” imported
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1

Step 2: Downloading and verifying the necessary files

It is now time to grab a copy of a fresh PHP tarball and the latest version of the Suhosin-Patch. Additionally you should get the digital signature (*.sig) files. You can grab all of this on our suhosin download page.

As a first precaution you can check the MD5 hashs of the downloaded files against those you find on the download page.

#> md5sum php-5.1.4.tar.bz2
66a806161d4a2d3b5153ebe4cd0f2e1c  php-5.1.4.tar.bz2
#> md5sum suhosin-patch-5.1.4-0.9.0.patch.gz
ea9026495c4ce34a329fd0a87474f1ba  suhosin-patch-5.1.4-0.9.0.patch.gz

When the MD5 hash values are valid you can check the digital signatures like this.

#> gpg php-5.1.4.tar.bz2.sig
gpg: Signature made Di 16 Mai 2006 23:39:04 CEST using DSA key ID 0A864AA1
gpg: Good signature from “Hardened-PHP Signature Key”
#> gpg suhosin-patch-5.1.4-0.9.0.patch.gz.sig
gpg: Signature made So 21 August 2006 20:02:53 CEST using DSA key ID 0A864AA1
gpg: Good signature from “Hardened-PHP Signature Key”

Step 3: Unpacking and Patching

You now have to unpack the PHP tarball, gunzip the patchfile and then apply the patch.

#> tar -xfj php-5.1.4.tar.bz2
#> gunzip suhosin-patch-5.1.4-0.9.0.patch.gz
#> cd php-5.1.4
#> patch -p 1 -i ../suhosin-patch-5.1.4-0.9.0.patch

If you prefer to have suhosin as builtin extension you can also download the suhosin extension source code and copy the src files into the ext/suhosin directory within your PHP source tree.

Installing on a Generic Linux/Unix

After having prepared the PHP source tree the next step is not much different from the usual installation of PHP. If you have copied the suhosin extension into the ext directory you also have to activate it.

#> [./buildconf - in case you want to compile suhosin statically]
#> ./configure –with-whatever-you-want [--enable-suhosin]
#> make
#> make test
#> make install

By executing make test you can verify, that PHP still works and does not break anything.

If you are upgrading from a previous installation of PHP you do not need to recompile all installed PHP modules and extensions unless you are upgrading to a PHP version that breaks binary compatibility. However recompiling the extensions after having installed PHP with the Suhosin-Patch can protect them from possible format string vulnerabilities, which was built into the header files.

After having recompiled and installed everything, have a look at the bundled php.ini files for examples how to use the new configuration directives. For a documentation of the new directives consult the Configuration section.

Binary extensions from for example Zend should continue flawlessly. If you encounter any problem contact http://www.hardened-php.net immediately.