Monday, July 11, 2011

PHP with The Suhosin Patch



On BackTrack 5, the suhosin already exist when we install with apt-get install phpmyadmin - mysql-server - php5-cgi. To check that, we can create file php at localhost, and the simple codes are:

<?
phpinfo();
?>


Now, we call the localhost (http://127.0.0.1/1.php) to get information about suhosin in phpinfo.



Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Unlike the PHP Hardening-Patch Suhosin is binary compatible to normal PHP installation, which means it is compatible to 3rd party binary extension like ZendOptimizer. I get much information about installation sihosin on ubuntu (debian), so this is the article which i take it.

Installing Suhosin
First we install the Suhosin PHP extension which is available as a package in the Debian Etch and Ubuntu repositories:

apt-get install php5-suhosin

Now on for the Suhosin patch. To install the patch, we need to recompile PHP5 on our system. Fortunately there's an easy way to do this: we download the PHP5 source package from our Debian/Ubuntu repository. That's the package from which our current PHP5 installation was compiled. Then we apply the Suhosin patch to the sources, and create new PHP5 .deb packages with dpkg-buildpackage. That way, we don't have to worry about the right PHP5 configuration options, and we stay in sync with our apt package database.

First we install everything we need to compile PHP5 from the sources:

apt-get install dpkg-dev build-essential

Then we go to the /usr/src directory and download the PHP5 sources:

cd /usr/src
apt-get source php5


Next we install the Hardened PHP-Project signaturekey:

wget http://www.hardened-php.net/hardened-php-signature-key.asc
gpg --import < hardened-php-signature-key.asc


Then we go to http://www.hardened-php.net/suhosin/download.html and select the Suhosin patch that suits our PHP version. In this tutorial my PHP version is 5.2.0-8+etch1, so I download the patch for PHP 5.2.0:

wget http://www.hardened-php.net/suhosin/_media/suhosin-patch-5.2.0-0.9.6.2.patch.gz

Now we unpack that patch and apply it to our PHP sources:

gunzip suhosin-patch-5.2.0-0.9.6.2.patch.gz
cd php5-5.2.0
patch -p 1 -i ../suhosin-patch-5.2.0-0.9.6.2.patch


After the patch has been applied without errors, we build our new PHP5 .deb packages:

dpkg-buildpackage

Depending on what PHP5 modules you have installed, dpkg-buildpackage will most likely complain about missing packages that it needs to build new packages for the various PHP5 modules:

server1:/usr/src/php5-5.2.0# dpkg-buildpackage
dpkg-buildpackage: source package is php5
dpkg-buildpackage: source version is 5.2.0-8+etch1
dpkg-buildpackage: source changed by sean finney
dpkg-buildpackage: host architecture i386
dpkg-buildpackage: source version without epoch 5.2.0-8+etch1
dpkg-checkbuilddeps: Unmet build dependencies: apache-dev (>= 1.3.23) apache2-prefork-dev (>= 2.0.53-3) bison chrpath debhelper (>= 3) firebird2-dev flex (>= 2.5.4) freetds-dev libapr1-dev (>= 1.2.7-8) libbz2-dev (>= 1.0.0) libc-client-dev libcurl3-openssl-dev | libcurl3-dev libdb4.4-dev libexpat1-dev (>= 1.95.2-2.1) libfreetype6-dev libgcrypt11-dev libgd2-xpm-dev (>= 2.0.28-3) libjpeg62-dev libkrb5-dev libldap2-dev libmcrypt-dev libmhash-dev (>= 0.8.8) libmysqlclient15-dev | libmysqlclient12-dev libncurses5-dev libpam0g-dev libpcre3-dev (>= 6.6) libpng12-dev libpq-dev | postgresql-dev libpspell-dev librecode-dev libsnmp9-dev | libsnmp-dev libsqlite0-dev libt1-dev libtidy-dev libwrap0-dev libxmltok1-dev libxml2-dev (>= 2.4.14) libxslt1-dev (>= 1.0.18) re2c unixodbc-dev
dpkg-buildpackage: Build dependencies/conflicts unsatisfied; aborting.
dpkg-buildpackage: (Use -d flag to override.)


If you see an error like this, install the missing packages (a | symbol means OR, e.g. package1 | package2 means that you can install either package1 or package2), e.g. like this:

apt-get install apache-dev apache2-prefork-dev bison chrpath debhelper firebird2-dev flex freetds-dev libapr1-dev libbz2-dev libc-client-dev libcurl3-dev libdb4.4-dev libexpat1-dev libfreetype6-dev libgcrypt11-dev libgd2-xpm-dev libjpeg62-dev libkrb5-dev libldap2-dev libmcrypt-dev libmhash-dev libmysqlclient15-dev libncurses5-dev libpam0g-dev libpcre3-dev libpng12-dev libpq-dev libpspell-dev librecode-dev libsnmp9-dev libsqlite0-dev libt1-dev libtidy-dev libwrap0-dev libxmltok1-dev libxml2-dev libxslt1-dev re2c unixodbc-dev

Afterwards, run dpkg-buildpackage again:

dpkg-buildpackage

This should now compile PHP5 and all installed PHP5 modules again and create new .deb packages in the /usr/src directory. This can take some time, so please be patient. It's possible that you get some warnings about signatures at the end - you can ignore them.

Afterwards, we go to the /usr/src directory and see what we got:

cd /usr/src
ls -l


The output could look like this:

server1:/usr/src# ls -l
total 21792
-rw-r--r-- 1 root src 1351 2005-07-05 13:02 hardened-php-signature-key.asc
-rw-r--r-- 1 root src 2419598 2007-03-29 16:37 libapache2-mod-php5_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 2418714 2007-03-29 16:37 libapache-mod-php5_5.2.0-8+etch1_i386.deb
drwxr-xr-x 20 root root 4096 2007-03-29 16:37 php5-5.2.0
-rw-r--r-- 1 root src 1044 2007-03-29 16:37 php5_5.2.0-8+etch1_all.deb
-rw-r--r-- 1 root src 124228 2007-03-29 16:02 php5_5.2.0-8+etch1.diff.gz
-rw-r--r-- 1 root src 1739 2007-03-29 16:02 php5_5.2.0-8+etch1.dsc
-rw-r--r-- 1 root src 5689 2007-03-29 16:38 php5_5.2.0-8+etch1_i386.changes
-rw-r--r-- 1 root src 8583491 2006-11-07 13:34 php5_5.2.0.orig.tar.gz
-rw-r--r-- 1 root src 4771850 2007-03-29 16:37 php5-cgi_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 2405518 2007-03-29 16:37 php5-cli_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 215058 2007-03-29 16:37 php5-common_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 24464 2007-03-29 16:37 php5-curl_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 350954 2007-03-29 16:37 php5-dev_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 33416 2007-03-29 16:37 php5-gd_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 34496 2007-03-29 16:37 php5-imap_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 44322 2007-03-29 16:37 php5-interbase_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 17232 2007-03-29 16:37 php5-ldap_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 12822 2007-03-29 16:37 php5-mcrypt_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 5046 2007-03-29 16:37 php5-mhash_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 64902 2007-03-29 16:37 php5-mysql_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 33410 2007-03-29 16:37 php5-odbc_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 50652 2007-03-29 16:37 php5-pgsql_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 8628 2007-03-29 16:37 php5-pspell_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 4756 2007-03-29 16:37 php5-recode_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 11302 2007-03-29 16:37 php5-snmp_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 34454 2007-03-29 16:37 php5-sqlite_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 18392 2007-03-29 16:37 php5-sybase_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 16478 2007-03-29 16:37 php5-tidy_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 36450 2007-03-29 16:37 php5-xmlrpc_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 12260 2007-03-29 16:37 php5-xsl_5.2.0-8+etch1_i386.deb
-rw-r--r-- 1 root src 310194 2007-03-29 16:37 php-pear_5.2.0-8+etch1_all.deb
-rw-r--r-- 1 root src 95588 2007-03-06 10:37 suhosin-patch-5.2.0-0.9.6.2.patch


Now we install all the new PHP5 .deb packages (compare the creation times to see which packages are new) except a few - for example, we don't need php5-cgi and php5-cli because we use mod_php. php-pear and libapache-mod-php5 aren't needed either. libapache-mod-php5 is for Apache 1.3, but we have Apache 2.2 installed, therefore we need libapache2-mod-php5.

dpkg -i libapache2-mod-php5_5.2.0-8+etch1_i386.deb php5_5.2.0-8+etch1_all.deb php5-common_5.2.0-8+etch1_i386.deb php5-curl_5.2.0-8+etch1_i386.deb php5-dev_5.2.0-8+etch1_i386.deb php5-gd_5.2.0-8+etch1_i386.deb php5-imap_5.2.0-8+etch1_i386.deb php5-interbase_5.2.0-8+etch1_i386.deb php5-ldap_5.2.0-8+etch1_i386.deb php5-mcrypt_5.2.0-8+etch1_i386.deb php5-mhash_5.2.0-8+etch1_i386.deb php5-mysql_5.2.0-8+etch1_i386.deb php5-odbc_5.2.0-8+etch1_i386.deb php5-pgsql_5.2.0-8+etch1_i386.deb php5-pspell_5.2.0-8+etch1_i386.deb php5-recode_5.2.0-8+etch1_i386.deb php5-snmp_5.2.0-8+etch1_i386.deb php5-sqlite_5.2.0-8+etch1_i386.deb php5-sybase_5.2.0-8+etch1_i386.deb php5-tidy_5.2.0-8+etch1_i386.deb php5-xmlrpc_5.2.0-8+etch1_i386.deb php5-xsl_5.2.0-8+etch1_i386.deb

The last command willl automatically make Apache restart, so we don't have to. Now let's call our info.php page again in a browser. If everything ok, you should now see Suhosin.

Disable Suhosin with php.ini and .htaccess
Suhosin for a domain can be disabled by 2 methods:

1. Using php.ini
2. Using .htaccess

Following are the steps in order to

1. Disable suhosin using php.ini

a) Login to the server as root

b) Copy the servers customized php.ini file to the document root of the domain

[root@server]# php -i | grep php.ini
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini

[root@server]# cp /usr/local/lib/php.ini /home/username/public_html


c) Open the php.ini file and add the following code to the file:

[suhosin]
; Misc Options
suhosin.simulation = On


[On indicates disabled, Off indicates enabled]

d) Save and quit the file. Restart apache. That's it. Suhosin for a domain will now be disabled

2. Disable SUHOSIN via .htaccess

a) Go to the document root for the domain and open the .htaccess file for the domain

b) Now enter the following code in the file

php_flag suhosin.simulation On

c) If the server is configured to use suphp try entering following code in .htaccess

<files “.ht*”>
deny from all
</Files>

suPHP_ConfigPath /home/username


d) Save and quit the file. Restart apache. That's it. Suhosin for a domain will now be disabled.

Disable Suhosin with Php5-Suhosin

After we install with apt-get install php5-suhosin, then edit our configuration at /etc/php5/conf.d/suhosin.ini and don't forget to restart apache with /etc/init.d/apache2 restart. For the suhosin configuration, follow the link in my references about suhosin configuration. Have a nice days..

References:
http://www.debian-administration.org/article/498/PHP_hardening_patch_-_Suhosin
http://www.hardened-php.net/suhosin/configuration.html
http://www.hardened-php.net/suhosin/index.html
http://www.howtoforge.com/suhosin_php_debian_etch_ubuntu
http://www.php.net
http://ubuntuforums.org/showthread.php?t=1074579

0 comments:

Post a Comment