PHP hardening patch - Suhosin
Posted by simonw on Fri 16 Feb 2007 at 08:51
PHP has a notorious security history, but web hosts have to provide it. Suhosin is a security patch that can be applied to change behaviour of the default PHP install in security related ways, and is now packaged in Debian Etch and Sid, with some of it built into the default PHP builds, and some available as an extra.
To install and test;
Create a PHP file somewhere on your website with this in, and view it with Apache to see your PHP config.
<?php phpinfo(); ?>;
When viewed the page should claim that Suhosin is included, but Suhosin directives in the PHP5 ini files will have no effect.
apt-get install php5-suhosin
I assume people have PHP5 installed by now!
Viewing the PHP info page should now have a whole section to "Suhosin" showing the value of settings like "suhosin.mail.protect".
As a quick test it is working, we disable phpinfo;
echo suhosin.executor.func.blacklist="phpinfo" >>/etc/php5/conf.d/suhosin.ini /etc/init.d/apache2 restart
Reloading the phpinfo page, should now be blank, and an error logged something list this one;
[Wed Feb 14 13:30:08 2007] [error] [client ip.ad.dr.es] ALERT - function within blacklist called: phpinfo() (attacker 'ip.ad.dr.es', file '/home/gardens/phpinfo.php', line 2)
Of course one can blacklist functions in PHP without Suhosin, the interest is more in the features like the mail function protection.
This note was written as I couldn't find an introduction, the author is not an expert in PHP security!
Why would you use Suhosin? If you want to disable functions, you can do this form php.ini?
[ Parent | Reply to this comment ]
Ah.
> the interest is more in the features like the mail function protection.
Newline protection?
The features are listed here:
http://www.hardened-php.net/suhosin/a_feature_list.html
but it's difficult to find an "oh that's nice" feature.
[ Parent | Reply to this comment ]
Some of the memory protection, for example, seems like a good idea. But is it really useful?
[ Parent | Reply to this comment ]
deb http://packages.dotdeb.org stable all
deb-src http://packages.dotdeb.org stable all
[ Parent | Reply to this comment ]
I can say that the default config (etch) broke:
phpmyadmin login - cookie based login - irrespective of what user name you try to log in with it tries to use www-data@localhost
drupal - saving access permissions (seems to be the only thing - most of the rest works).
So - definitely something to test on a test install first.
[ Parent | Reply to this comment ]
Seems cookies sent before installation are assumed to be encrypted ("a don't start from here" situation), when they obviously are not.
I'd be interested to know if deleting the cookie fixes this issue.
[ Parent | Reply to this comment ]
It may be the case. But - I wonder exactly which cookie it is if so - the error was happening at login - when the cookie is supposed to be created (I don't use persistant cookies for my phpmyadmin and the box has been restarted since suhosin was enabled).
[ Parent | Reply to this comment ]
The stale cookie issue is the problem with phpmyadmin (works fine after removing cookies).
The saving of access permissions under drupal - no - that still fails.
[ Parent | Reply to this comment ]
Suhosin is pretty widely installed, and many Drupal folk use it, so I'd be surprised if it wasn't either state information, or a known issue.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Bug report?
[ Parent | Reply to this comment ]
On top of that - I am not running the drupal deb package - since I have several areas checked out of CVS, etc etc.
I reckon I need to do more reading and investigating first.
[ Parent | Reply to this comment ]