Installing Suhosin

Introduction

Suhosin comes with two parts - the extension and the patch. Both parts can be installed separately and have no dependencies to each other.

Suhosin Extension

Compatibility: The current Suhosin-Extension has been tested with PHP 5.4, 5.5 and 5.6.

Manual Installation

Unlike the Hardening-Patch for PHP, nearly all of Suhosin's features are within the extension. Therefore you might want to only install the extension and use a plain unpatched PHP. Depending on the system we might already offer binary packages. You can check our Suhosin Download page. In that case you only need to activate the extension inside your php.ini and maybe add Configuration directives if you are not satisfied by the default values.

Before you continue compiling the Suhosin-Extension you should verify the file integrity with GnuPG or download the latest source from Github via HTTPS. The next step is unpacking the extension tarball and performing the usual compilation steps for PHP extensions.

Quickstart (probably suitable for most people):

#> cd suhosin
#> phpize
#> ./configure
#> make
#> make install

This should install suhosin.so in the correct extension directory. The final step is adding a load directive to php.ini

extension=suhosin.so

and optionally add some configuration directives in case you do not like the default values.

More elaborate configuration (for advanced users with several PHP installations):

  • #> phpize should be the phpize from your target PHP installation - in case you have more than one PHP installed. So this may actually be something like

    #> /opt/php-5.6.2/bin/phpize
    
  • Point to the correct php-config! If either phpize or php-config does not belong to your target PHP, you may encounter strange errors such as undefined symbol compiler_globals.

    #> ./configure --with-php-config=/opt/php-5.6.2/bin/php-config
    
  • CFLAGS: these may be added to configure as well. e.g.

    #> configure CFLAGS="-arch x86_64
    
  • Some experimental features can be enabled using

    #> configure --enable-suhosin-experimental
    
  • #> make -j2 - for speed. Add CFLAGS here too as needed, e.g. make -j2 CFLAGS="..."

  • #> make install or just copy suhosin.so to your extension_dir.

Installing on Debian and Ubuntu

  • Option 1: Compile a .deb package yourself: (replace version number as appropriate)

    suhosin/pkg $ ./build_deb.sh 0.9.37-1~custom1
    
  • Option 2: We provide precompiled packages of Suhosin's bleeding edge - yet stable enough - development version for Debian (wheezy and jessie / amd64, i386, armhf) and Ubuntu (stable / amd64). Note: This service is free of charge and comes without any warranty. These packages are not recommended for production. Also, please note that Suhosin was compiled depending on stock PHP5 packages; users of custom PHP repositories such as dotdeb should use Option 1.

    ## /etc/apt/sources.list for Debian jessie (stable) (amd64, i386, armhf)
    deb http://repo.suhosin.org/ debian-jessie main
    
    ## /etc/apt/sources.list for Debian wheezy (old stable) (amd64, i386, armhf)
    deb http://repo.suhosin.org/ debian-wheezy main
    
    ## /etc/apt/sources.list for Ubuntu trusty (amd64 only)
    deb http://repo.suhosin.org/ ubuntu-trusty main
    

    Then apt-get install php5-suhosin-extension.

    The repository is signed with our archive key 0xB12D0447319F1ADB.

    $ wget https://sektioneins.de/files/repository.asc
    $ sudo apt-key add repository.asc
    
  • Option 3: Debian provides official Suhosin packages for some Versions, e.g. sid, named php5-suhosin. These are ok as well, but most likely not the latest version. Suhosin is in constant development to keep up to date with modern web attacks. If possible, use Option 1 or 2 instead.

Installing on Gentoo

Installing and using Suhosin on Gentoo is very easy. At the moment the Suhosin patches and extensions are only available in the external PHP Overlay, and not yet in the Portage tree, you can expect them to also be available in the main Portage tree during October 2006. Let’s install the PHP Overlay then:

#> emerge layman
#> layman -f
#> layman -a php-testing

Now let’s install PHP with the Suhosin patch and extension:

#> echo "dev-lang/php" >> /etc/portage/package.keywords
(unstable version needed)
#> USE="suhosin" emerge =php-4* for PHP4, or =php-5* for PHP5

(NOTE: you cannot also have the "hardenedphp" USE flag enabled at the same time!) That’s it, your PHP on Gentoo is now running with the Suhosin patch enabled, and the Suhosin extension was automatically installed (from the dev-php{4,5}/suhosin package).

Installing on FreeBSD

The Suhosin-Patch and the Suhosin extension are both within the FreeBSD ports. Therefore installing it on FreeBSD is very simple. The Suhosin-Patch is an option which you can choose when you install the lang/php4 or lang/php5 port. To install the patch just do

#> cd /usr/ports/lang/php5
#> make
... now select the menu item that says: Enable Suhosin Protection
#> make install

To install the extension just do

#> cd /usr/ports/security/php-suhosin
#> make
#> make install

After these simple steps Suhosin-Patch is successfully installed on your system.

Suhosin-Patch

Note: The Suhosin-Patch is compatible only up to PHP version 5.3.9. You can, however, run the Suhosin-Extension without the Suhosin-Patch with current version of PHP5.

When you want to install PHP with the Suhosin-Patch you have to perform some preparation steps first.

Step 1: Installing the Hardened-PHP Project Signaturekey

You should first grab a copy of the Hardened-PHP Project's Release Signaturekey and import it into your GNU Privacy Guard keychain. (For further information on the usage of gnupg please consult it’s manpage)

#> gpg --import < hardened-php-signature-key.asc
gpg: /root/.gnupg/trustdb.gpg: trust-db erzeugt
gpg: key 0A864AA1: public key "Hardened-PHP Signature Key" imported
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                              importiert: 1

Step 2: Downloading and verifying the necessary files

It is now time to grab a copy of a fresh PHP tarball and the latest version of the Suhosin-Patch. Additionally you should get the digital signature (*.sig) files. You can grab all of this on our suhosin download page.

As a first precaution you can check the MD5 hashs of the downloaded files against those you find on the download page.

#> md5sum php-5.1.4.tar.bz2
66a806161d4a2d3b5153ebe4cd0f2e1c  php-5.1.4.tar.bz2
#> md5sum suhosin-patch-5.1.4-0.9.0.patch.gz
ea9026495c4ce34a329fd0a87474f1ba  suhosin-patch-5.1.4-0.9.0.patch.gz

When the MD5 hash values are valid you can check the digital signatures like this.

#> gpg php-5.1.4.tar.bz2.sig
gpg: Signature made Di 16 Mai 2006 23:39:04 CEST using DSA key ID 0A864AA1
gpg: Good signature from "Hardened-PHP Signature Key"
#> gpg suhosin-patch-5.1.4-0.9.0.patch.gz.sig
gpg: Signature made So 21 August 2006 20:02:53 CEST using DSA key ID 0A864AA1
gpg: Good signature from "Hardened-PHP Signature Key"
Step 3: Unpacking and Patching

You now have to unpack the PHP tarball, gunzip the patchfile and then apply the patch.

#> tar -xfj php-5.1.4.tar.bz2
#> gunzip suhosin-patch-5.1.4-0.9.0.patch.gz
#> cd php-5.1.4
#> patch -p 1 -i ../suhosin-patch-5.1.4-0.9.0.patch

If you prefer to have suhosin as builtin extension you can also download the suhosin extension source code and copy the src files into the ext/suhosin directory within your PHP source tree.

Installing on a Generic Linux/Unix

After having prepared the PHP source tree the next step is not much different from the usual installation of PHP. If you have copied the suhosin extension into the ext directory you also have to activate it.

#> [./buildconf - in case you want to compile suhosin statically]
#> ./configure --with-whatever-you-want [--enable-suhosin]
#> make
#> make test
#> make install

By executing make test you can verify, that PHP still works and does not break anything.

If you are upgrading from a previous installation of PHP you do not need to recompile all installed PHP modules and extensions unless you are upgrading to a PHP version that breaks binary compatibility. However recompiling the extensions after having installed PHP with the Suhosin-Patch can protect them from possible format string vulnerabilities, which was built into the header files.

After having recompiled and installed everything, have a look at the bundled php.ini files for examples how to use the new configuration directives. For a documentation of the new directives consult the Configuration section.

Binary extensions from for example Zend should continue flawlessly. If you encounter any problem contact us immediately.

Upgrading

Upgrading to a new PHP or new Suhosin-Patch version is quite identical to the normal installation process. This is like upgrading a normal PHP. That means, if the binary compatibility was broken between PHP versions you have to recompile all installed PHP modules/extension. Upgrading the Suhosin-Extension on the other hand is as simple as recompiling it (or using a binary), replacing the file and restarting your webserver.