I noticed a vague mention of Sohosin on a PHP blog that I read on occasion and I decided to give it a whirl to see if it’s as sexy as is sounds. So far my server hasn’t crashed, so I’m willing to recommend it to anyone who’s interested in hardening their PHP. Ok, sorry. I really can’t say that without chuckling. Yes, welcome back to third grade.
If you check out the developer’s site you should pretty much get the idea of what it does, but basically closes some of the security holes that we see with PHP all the time. Not to say that it will make your php 4.3/MySQL3/globals on/port 22 open server any more secure, but if you’re running any of the latest stable security releases you might be somewhat interested.
I’m currently running PHP 5.2.1, which is the latest release of PHP5 at the time of this writing. You can essentially install this on any PHP4+ server that you have root SSH access to. I opted to install the DSO, as I absolutely hate recompiling PHP. Installing Suhosin as a dynamic shared module will not require you do recompile anything, and is therefore the preferred method for lazy people.
Note: I’m using the latest (and only) release at the time of my writing, but head over to the download page to see if there is anything newer:
tar -xvzf suhosin-0.9.20.tgz
Now to install:
It should return a line something like this:
Installing shared extensions: /usr/local/lib/php/extensions/no-debug-non-zts-20060613/
Now, all you have to do is add this line to your php.ini and restart Apache. Of course, the path should be what the installation output gave you:
**If you are running eAccelerator, this should be above the eAccerelator configuration
When you load up your phpinfo file you should see the module loaded near the Zend section. Everything should be fine as-is, but it you’re one of those people who has to reconfigure everything, knock yourself out.