PHP has Suhosin by default?

Jeremy23

I just installed and configured a LAMP server on my Hardy machine (actually, using Lighttpd instead of Apache), ran phpinfo(), and it says that the "server is protected with the Suhosin Patch 0.9.6.2".

I certainly didn't install Suhosin...

Code:

jeremy@rillian:~$ dpkg -s php5-suhosin 
Package `php5-suhosin' is not installed and no info is available.

...which leads me to the conclusion that Ubuntu ships it with Suhosin without any intervention? I have a Feisty server, and that one doesn't have Suhosin -- it only seems to apply to my Hardy machine.

Seems like a good thing to do, but there may be compatibility issues with running non-standard versions of PHP.

faulkes · 12:02 PM

Interesting, could you ouput the phpinfo() section which relates to suhosin.

Having checked launchpad for Hardy I don't see it being listed as a compiled in option or a dependency (and there is a seperate php5-suhosin package as well).

Edit: also the following may give us more information

Code:

aptitude changelog php5

and 

aptitude changelog libapache2-mod-php5

That will probably be a large file, so you may have to spend a bit of time looking through it.

Faulkes

Jeremy23

Yeah, actually, I found it in the changelog yesterday. Here's an abridged version of the changelog entry:

Quote:

php5 (5.2.4-1) unstable; urgency=low

* we shipping with the suhosin patch enabled by default.

And yes, in phpinfo(), it says:

Quote:

This server is protected with the Suhosin Patch 0.9.6.2
Copyright (c) 2006 Hardened-PHP Project

ned worcs

Ive come up against this too. Ive installed Hardy beta and Suhosin has post.max_vars set at 200 which is the default causing problems with some scripts.

Whats the best way to change the value please?

scaredpoet

This thread needs to be revived I think. Has anyone figured out how to remove the suhosin patch from the php5 standard install in Hardy?

Jeremy23

Let me check.

The patch is probably located in the /debian/ directory, so making a new set of debs without Suhosin should be as simple as reversing the patch.

Of course, I haven't checked yet, so this may be more complicated than it seems.

Jeremy23

Before you get your hopes up, please be aware that I have not even tested to see if the following works. Seems likely that it will, though.

Okay, in the PHP5 source, there is a patch file in "debian/patches/suhosin.patch".

To get to this source, you can do: (without sudo, please)

Code:

mkdir work && cd work && apt-get source php5 && cd php5-5.2.4

Make sure you can build it by doing:

Code:

sudo apt-get build-dep php5

Okay, it looks like the patch isn't applied at this stage (it probably gets applied when you build the package), so just do this:

Code:

rm debian/patches/suhosin.patch

Now, you want to bump up the version number:

Code:

debchange -v 5.2.4-2ubuntu6~nosuhosin

If you've never built a Debian package before, that'll probably fail. To fix it, do this:

Code:

sudo apt-get install devscripts

...and run debchange again.

When you get presented with the nano text editor, just type something like "Hopefully removed Suhosin", and press Ctrl+X and Enter to save.

Should be good to build now. Do this:

Code:

debuild

You should end up with some new .deb packages:

Code:

ls -l ../*.deb

A quick and dirty way to install them (might break stuff) is:

Code:

sudo dpkg -i ../*.deb

Jeremy23

Quote:

Originally Posted by ned worcs

Ive come up against this too. Ive installed Hardy beta and Suhosin has post.max_vars set at 200 which is the default causing problems with some scripts.

Whats the best way to change the value please?

Ned, you can change these things in /etc/php5/apache2/php.ini.

bjk03

Quote:

Originally Posted by Jeremy23

Before you get your hopes up, please be aware that I have not even tested to see if the following works. Seems likely that it will, though.

Okay, in the PHP5 source, there is a patch file in "debian/patches/suhosin.patch".

To get to this source, you can do: (without sudo, please)

Code:

mkdir work && cd work && apt-get source php5 && cd php5-5.2.4

Make sure you can build it by doing:

Code:

sudo apt-get build-dep php5

Okay, it looks like the patch isn't applied at this stage (it probably gets applied when you build the package), so just do this:

Code:

rm debian/patches/suhosin.patch

Now, you want to bump up the version number:

Code:

debchange -v 5.2.4-2ubuntu6~nosuhosin

If you've never built a Debian package before, that'll probably fail. To fix it, do this:

Code:

sudo apt-get install devscripts

...and run debchange again.

When you get presented with the nano text editor, just type something like "Hopefully removed Suhosin", and press Ctrl+X and Enter to save.

Should be good to build now. Do this:

Code:

debuild

You should end up with some new .deb packages:

Code:

ls -l ../*.deb

A quick and dirty way to install them (might break stuff) is:

Code:

sudo dpkg -i ../*.deb

It did not work for me. Said it couldn't find source. What else can I do to get rid of Suhosin?

Jeremy23

That does not give me nearly enough information to let me help you.

Can you at least post the error message with the command you typed?

February 16th, 2008	#1
Jeremy23 A Carafe of Ubuntu Join Date: Apr 2006 Location: Australia My beans are hidden! Hardy Heron (Ubuntu Development)	PHP has Suhosin by default? I just installed and configured a LAMP server on my Hardy machine (actually, using Lighttpd instead of Apache), ran phpinfo(), and it says that the "server is protected with the Suhosin Patch 0.9.6.2". I certainly didn't install Suhosin... Code: jeremy@rillian:~$ dpkg -s php5-suhosin Package `php5-suhosin' is not installed and no info is available. ...which leads me to the conclusion that Ubuntu ships it with Suhosin without any intervention? I have a Feisty server, and that one doesn't have Suhosin -- it only seems to apply to my Hardy machine. Seems like a good thing to do, but there may be compatibility issues with running non-standard versions of PHP. __________________ Jeremy Visser Email: jeremy,visser#gmail,com Blog: http://jeremy.visser.name/

February 16th, 2008	#2
faulkes Way Too Much Ubuntu Join Date: Jan 2008 Location: Toronto Beans: 308 Ubuntu 7.10 Gutsy Gibbon	Re: PHP has Suhosin by default? Interesting, could you ouput the phpinfo() section which relates to suhosin. Having checked launchpad for Hardy I don't see it being listed as a compiled in option or a dependency (and there is a seperate php5-suhosin package as well). Edit: also the following may give us more information Code: aptitude changelog php5 and aptitude changelog libapache2-mod-php5 That will probably be a large file, so you may have to spend a bit of time looking through it. Faulkes __________________ Ubuntu Server Team Member && If your post was solved, please mark it [SOLVED] under Thread Tools Official Gutsy 7.10 Server Documentation \|\| Community based Server Documentation Last edited by faulkes; February 16th, 2008 at 12:02 PM..

March 31st, 2008	#4
ned worcs First Cup of Ubuntu Join Date: May 2007 Beans: 1	Re: PHP has Suhosin by default? Ive come up against this too. Ive installed Hardy beta and Suhosin has post.max_vars set at 200 which is the default causing problems with some scripts. Whats the best way to change the value please?

May 20th, 2008	#5
scaredpoet Gee! These Aren't Roasted! Join Date: Feb 2008 Location: USA Beans: 170 Ubuntu 9.10 Karmic Koala	Re: PHP has Suhosin by default? This thread needs to be revived I think. Has anyone figured out how to remove the suhosin patch from the php5 standard install in Hardy?

May 25th, 2008	#6
Jeremy23 A Carafe of Ubuntu Join Date: Apr 2006 Location: Australia My beans are hidden! Hardy Heron (Ubuntu Development)	Re: PHP has Suhosin by default? Let me check. The patch is probably located in the /debian/ directory, so making a new set of debs without Suhosin should be as simple as reversing the patch. Of course, I haven't checked yet, so this may be more complicated than it seems. __________________ Jeremy Visser Email: jeremy,visser#gmail,com Blog: http://jeremy.visser.name/

May 25th, 2008	#7
Jeremy23 A Carafe of Ubuntu Join Date: Apr 2006 Location: Australia My beans are hidden! Hardy Heron (Ubuntu Development)	Re: PHP has Suhosin by default? Before you get your hopes up, please be aware that I have not even tested to see if the following works. Seems likely that it will, though. Okay, in the PHP5 source, there is a patch file in "debian/patches/suhosin.patch". To get to this source, you can do: (without sudo, please) Code: mkdir work && cd work && apt-get source php5 && cd php5-5.2.4 Make sure you can build it by doing: Code: sudo apt-get build-dep php5 Okay, it looks like the patch isn't applied at this stage (it probably gets applied when you build the package), so just do this: Code: rm debian/patches/suhosin.patch Now, you want to bump up the version number: Code: debchange -v 5.2.4-2ubuntu6~nosuhosin If you've never built a Debian package before, that'll probably fail. To fix it, do this: Code: sudo apt-get install devscripts ...and run debchange again. When you get presented with the nano text editor, just type something like "Hopefully removed Suhosin", and press Ctrl+X and Enter to save. Should be good to build now. Do this: Code: debuild You should end up with some new .deb packages: Code: ls -l ../.deb A quick and dirty way to install them (might break stuff) is: Code: sudo dpkg -i ../.deb __________________ Jeremy Visser Email: jeremy,visser#gmail,com Blog: http://jeremy.visser.name/

June 20th, 2008	#10
Jeremy23 A Carafe of Ubuntu Join Date: Apr 2006 Location: Australia My beans are hidden! Hardy Heron (Ubuntu Development)	Re: PHP has Suhosin by default? That does not give me nearly enough information to let me help you. Can you at least post the error message with the command you typed? __________________ Jeremy Visser Email: jeremy,visser#gmail,com Blog: http://jeremy.visser.name/

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode