PHP is extremely popular for small-scale web application development. However, PHP has a long history of major security problems. PHP also lowers the barrier of entry for first-time web developers so unfortunately many PHP applicationshave their own security issues.

The Hardened PHP project is a group of developers working to improve the situation. They regularly discover and report bugs in the PHP code and a few years ago started producing a hardening patch that adds protections against common attacks including buffer overflows, format string vulnerabilities and the infamous remote include vulnerabilities. Unfortunately, to use the patch you have to re-compile PHP from source.

Now the group also provide Suhosin extension that can be added to most existing PHP installations. If you use the Apache with the mod_php module provided by your Linux distribution you can now add additional security features without having to re-compile. The extension doesn’t provide all the protection of the hardening patch, but if you look at the suhosin features it provides many protections worth having.

Both Gentoo Linux and FreeBSD include Suhosin in their ports system. If you use Ubuntu, Debian or other distribution, an older version is available but it is wise to always run the latest version. However, you may have trouble compiling the extension on Debian and Ubuntu. This is a guide to compiling and installing Suhosin on those platforms

Before you begin you’ll need GCC and other compiler tools installed (installing the build-essentials package is a good start). To build PHP extensions you’ll also need the php5-dev package and it’s dependencies.

Download the Suhosin extension source code (not the Suhosin patch source code) to a temp directory (/usr/local/src is a good location) and unpack the archive in the usual way:

tar xvzf suhosin-0.9.11.tgz

Unfortunately, the php-dev package on Ubuntu is missing mbstring.h (which the binary PHP was compiled to include) causing the current release of suhosin to fail. A less-than-elegant fix is to edit reference of that header out of the source. To do that, change into the suhosin extension source directory and edit file rfc1867.c to change:

#if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
#include "ext/mbstring/mbstring.h"

into

#if 0 && HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
#include "ext/mbstring/mbstring.h"

Next, configure the extension as follows:

/usr/bin/phpize
./configure

Assuming the above results in no error messages, you are ready to compile and install:

make
make install

You should now have a file named suhosin.so in directory /usr/lib/php5/20051025/ (or whatever directory was printed when you did ‘make install’).

Now the extension must be activated in PHP. Edit file /etc/php5/apache2/php.ini, go to the bottom of the file and add the following to the top of the list of extensions:

extension="suhosin.so"

Finally, check that Apache accepts the extension and the changes you made to php.ini:

apache2ctl configtest

If there are no errors displayed, it should be safe to restart Apache to activate the extension:

/etc/init.d/apache2 restart

At this points it’s a good idea to test a few PHP web pages to make sure Apache and PHP are working correctly.

Configuration options

Suhosin is supposed to work "out of the box" without any configuration changes. However, to start with you may want to activate simulation mode. This reports security issues, but does not block any activity. On a production server, it’s a good idea to use this mode until you’ve resolved any issues with the PHP applications you are running. To activate it, add the following to php.ini

suhosin.simulation = On

Other settings are described on the Suhosin web site. Note that by default, all remote include methods are disabled. Also disabled by default is the ability to upload binaries containing ELF headers (ie. Unix/Linux executables).

Does it help?

The Suhosin extension adds several needed protections to the PHP engine and to PHP applications. Features like cookie encryption, session protections, and length limits are welcome improvements, and extensibility like being able to check uploads using an external script (e.g. run a virus scanner) are fantastic.

Certainly tools like this are band-aids and won’t stop every attack, but when you have no choice but to run PHP, each additional safeguard helps.