Compiling PHP with Suhosin
Compiling PHP with Suhosin
So upon checking php.net I noticed they released PHP 5.2.11. I still haven’t upgraded to PHP 5.3.0 because it breaks too many things and I haven’t bothered to figure out how to install both of them at the same time (Working on it though). I’ve compiled PHP so many times I can do it quickly and from memory, so I figured I would start sharing some of that knowledge. This post is about compiling PHP with support for some popular addons, and a few security options you should use. I am assuming you use Apache 2 and Linux. I also assume you are root.
For this, I will be compiling in the Suhosin patch and extension, and enabling various database and other modules that come in handy when working with PHP. I’ve found that I need these to be able to use various software packages.
The first step is to go to PHP.net and get the url for the download. For PHP 5.2.11 that url is http://ca.php.net/distributions/php-5.2.11.tar.bz2
1. mkdir /root/phptemp; cd /root/phptemp
2. wget http://ca.php.net/distributions/php-5.2.11.tar.bz2
3. tar -jxvf php-5.2.11.tar.bz2
4. Now we need to grab the latest Suhosin and hardened PHP patches
5. wget http://download.suhosin.org/suhosin-patch-5.2.11-0.9.7.patch.gz
6. wget http://download.suhosin.org/suhosin-0.9.29.tgz
7. tar -xvzf suhosin-0.9.29.tgz
8. gunzip suhosin-patch-5.2.11-0.9.7.patch.gz
9. Please note that I skipped the signature testing of the two files. This is optional but recommended that you do not skip
10. cd php-5.2.11
11. patch -p 1 -i ../suhosin-patch-5.2.11-0.9.7.patch
12. The next step involves configuring PHP. You may need to modify some of the paths or install some required software packages
13. ./configure –with-apxs2=/usr/sbin/apxs –without-sqlite –with-mysql –with-mysqli –with-zlib –with-bz2 –with-gd –with-curl –with-openssl –with-mcrypt –with-mhash –enable-mbstring –with-kerberos –with-imap-ssl –prefix=/usr –with-config-file-path=/etc -with-gettext –with-ttf –enable-exif –with-pear –enable-gd-native-ttf –with-freetype-dir=/usr/include/freetype2/freetype –with-jpeg-dir=/usr/bin –with-png-dir=/usr/bin –enable-calendar
15. make test
16. make test may not work if you are upgrading and have disabled certain functions
17. make install
18. make clean
Ok, so now PHP is installed/upgraded and now we need to compile and install the Suhosin extension.
1. cd /root/phptemp/cd suhosin-0.9.29
5. make install
6. vi /etc/php.ini
7. Find the extensions section (Or just append to the bottom)
This is not a complete resource for install PHP and Suhosin. I really recommend you read about Suhosin on their website. It is best if you understand this really amazing product.
Now the Suhosin extension is installed, and enabled, but some of the other extensions may or may not of been enabled. Use the above syntax of extension=name.so to enable them, restarted Apache after each one to make sure everything works OK.
I use the following option to disable various functions that aren’t normally needed and could pose a security risk.
disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get,ftp_login, ftp_nb_fput,ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode,phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid,posix_setuid, posix_setuid, posix_uname, shell_exec, syslog, system, xmlrpc_entity_decode,proc_close, proc_get_status, proc_nice, proc_open, proc_terminate”
I set all of my open_basedir options for each virtual host, but I also set a default option just in case. For my server, I have Apache setup using the webroot /chroot/www with a symlink /www pointing to /chroot/www. In my php.ini file, I set open_basedir = /www as a failsafe.