recompile PHP with Suhosin

NuSneller

Verified User
Joined
Sep 22, 2010
Messages
24
I did everything how it's written but "make" gives me " *** No targets specified and no makefile found. stop. " I run Debian 5 with php5.2.14 and did:


cd /usr/local/directadmin/custombuild
./build update
./build set clean no
tar xzf php-5.2.14.tar.gz
wget http://download.suhosin.org/suhosin-patch-5.2.14-0.9.7.patch.gz
gunzip suhosin-patch-5.2.14-0.9.7.patch.gz
patch -p0 < suhosin-patch-5.2.14-0.9.7.patch
cd php-5.2.14
`../build used_configs | grep PHP5 | cut -d: -f2`
make (THIS ISN't WORKING)
make install
/etc/init.d/httpd restart
cd ..
./build set clean yes


Why make gives this error?
 
Last edited:

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,793
Location
A Coruña, Spain
try this:

Code:
cd /usr/local/directadmin/custombuild
rm -rf php*
./build update
./build set clean no
tar xzf php-5.2.13.tar.gz
wget http://download.suhosin.org/suhosin-patch-5.2.13-0.9.7.patch.gz
gunzip suhosin-patch-5.2.13-0.9.7.patch.gz
patch -p0 < suhosin-patch-5.2.13-0.9.7.patch
nano build
check for every FILE=${CWD}/php-${PHP5_VER} line and at 3 line down comment this corresponding line
#tar xzf ${FILE}
save and exit and run
./build php n
/etc/init.d/httpd restart
./build set clean yes
Regards
 

Blueman

Verified User
Joined
Nov 20, 2009
Messages
53
I have a question. What about "mail-header.patch" do I have to patch it before or after suhosin patch ?

patch -p0 < php-5.2.xx-mail-header.patch
 

fastsvc

Verified User
Joined
Apr 12, 2009
Messages
21
cli vs cgi

all the info in here works great with cli but when it comes to cgi, it does not work and that`s because cgi in install in php5 folder vs cli who is installed in php folder. so the commands have to be modified to look for php.ini in php5
 

cbservers

Verified User
Joined
Oct 28, 2004
Messages
44
Location
Sydney, Australia
try this:

Code:
cd /usr/local/directadmin/custombuild
rm -rf php*
./build update
./build set clean no
tar xzf php-5.2.13.tar.gz
wget http://download.suhosin.org/suhosin-patch-5.2.13-0.9.7.patch.gz
gunzip suhosin-patch-5.2.13-0.9.7.patch.gz
patch -p0 < suhosin-patch-5.2.13-0.9.7.patch
nano build
check for every FILE=${CWD}/php-${PHP5_VER} line and at 3 line down comment this corresponding line
#tar xzf ${FILE}
save and exit and run
./build php n
/etc/init.d/httpd restart
./build set clean yes
Regards
Thanks SeLLeRoNe, I tried previous posts and it all failed, yours with some updating (versions) worked.

I needed to add exif to my php so I needed to recompile php, but suhosin is not available for the latest php version so I needed to use custombuild with an older version of php.

Here's what I did, hopefully it will help others;

Code:
cd /usr/local/directadmin/custombuild
rm -rf php*
rm -rf suh*
./build update
./build set clean no
nano versions.txt
change the php5:5.2.17 line to
php5:5.2.16:68f2c92b5b33d131b1ea70ece9fc40ad
./build update_data
tar xzf php-5.2.16.tar.gz
wget http://download.suhosin.org/suhosin-patch-5.2.16-0.9.7.patch.gz
gunzip suhosin-patch-5.2.16-0.9.7.patch.gz
patch -p0 < suhosin-patch-5.2.16-0.9.7.patch
nano build
check for every FILE=${CWD}/php-${PHP5_VER} line and at 3 line down comment this corresponding line
#tar xzf ${FILE}
save and exit
nano configure/suphp/configure.php5
add a \ to last line
add on the new line
"--enable-exif"
save and exit and run
./build php n
./build set clean yes
As you can see I changed the versions.txt to get the previous version of 5.2.16 instead of the current 5.2.17
It would be good if custombuild can have the option to overide the version instead of having to hack the code.
but either way, I'm no expert and I got it going so, thank you to SeLLeRoNe and smtalk.
 

Anton

Verified User
Joined
Oct 6, 2010
Messages
104
Location
Iceland
So is there any new and better and easier way to get suhosin to work ? the info above did not work for me.
 
Last edited:

Vibe

Verified User
Joined
Aug 3, 2005
Messages
111
PHP 5.2.17 with Suhosin

For anyone interested in compiling PHP 5.2.17 with Suhosin patch 0.9.7 - I was able to do so using the following steps to create a "new" patch - followed by smtalk's instructions (second post in this thread):

1.) Download the Suhosin patch for PHP 5.2.16 (suhosin-patch-5.2.16-0.9.7.patch.gz)

2.) Gunzip (extract) to suhosin-patch-5.2.16-0.9.7.patch

3.) Rename the patch to suhosin-patch-5.2.17-0.9.7.patch (e.g. for PHP 5.2.17)

4.) Open the patch in a text editor and replace all instances of "5.2.16" with "5.2.17" (I used MetaPad on Windows 7) - completed in a few seconds.

5.) At this point - follow smtalk's instructions for patching PHP by downloading a new copy of php-5.2.17.tar.gz from the DA file repository.

An example of the changes you will see:

Code:
diff -Nura php-5.2.16/TSRM/TSRM.h suhosin-patch-5.2.16-0.9.7/TSRM/TSRM.h
--- php-5.2.16/TSRM/TSRM.h	2008-12-31 12:17:49.000000000 +0100
+++ suhosin-patch-5.2.16-0.9.7/TSRM/TSRM.h	2010-12-30 16:48:25.000000000 +0100
Becomes:

Code:
diff -Nura php-5.2.17/TSRM/TSRM.h suhosin-patch-5.2.17-0.9.7/TSRM/TSRM.h
--- php-5.2.17/TSRM/TSRM.h	2008-12-31 12:17:49.000000000 +0100
+++ suhosin-patch-5.2.17-0.9.7/TSRM/TSRM.h	2010-12-30 16:48:25.000000000 +0100
I had some spare time on my hands so I did a full text comparison of the source files for PHP 5.2.16 vs 5.2.17 - as compared to the changes made by the Suhosin patch for PHP 5.2.16. None of the files that Suhosin 0.9.7 alters appear to have changed with PHP 5.2.17.

*** IMPORTANT ***

While this worked perfectly for me on a FreeBSD 7.3 32 bit server - your mileage may vary. I cannot guarantee this will work for you in your environment. Good luck!

I have attached my "suhosin-patch-5.2.17-0.9.7.patch.txt" to this post. Just remove the ".txt" extension at the end.
 

Attachments

Rezaa

Verified User
Joined
Dec 15, 2010
Messages
75
Anyone confirm this mehtod?
May it cause any issues?
I'm using Centos 5.5 along with PHP 5.2.17


For anyone interested in compiling PHP 5.2.17 with Suhosin patch 0.9.7 - I was able to do so using the following steps to create a "new" patch - followed by smtalk's instructions (second post in this thread):

1.) Download the Suhosin patch for PHP 5.2.16 (suhosin-patch-5.2.16-0.9.7.patch.gz)

2.) Gunzip (extract) to suhosin-patch-5.2.16-0.9.7.patch

3.) Rename the patch to suhosin-patch-5.2.17-0.9.7.patch (e.g. for PHP 5.2.17)

4.) Open the patch in a text editor and replace all instances of "5.2.16" with "5.2.17" (I used MetaPad on Windows 7) - completed in a few seconds.

5.) At this point - follow smtalk's instructions for patching PHP by downloading a new copy of php-5.2.17.tar.gz from the DA file repository.

An example of the changes you will see:

Code:
diff -Nura php-5.2.16/TSRM/TSRM.h suhosin-patch-5.2.16-0.9.7/TSRM/TSRM.h
--- php-5.2.16/TSRM/TSRM.h	2008-12-31 12:17:49.000000000 +0100
+++ suhosin-patch-5.2.16-0.9.7/TSRM/TSRM.h	2010-12-30 16:48:25.000000000 +0100
Becomes:

Code:
diff -Nura php-5.2.17/TSRM/TSRM.h suhosin-patch-5.2.17-0.9.7/TSRM/TSRM.h
--- php-5.2.17/TSRM/TSRM.h	2008-12-31 12:17:49.000000000 +0100
+++ suhosin-patch-5.2.17-0.9.7/TSRM/TSRM.h	2010-12-30 16:48:25.000000000 +0100
I had some spare time on my hands so I did a full text comparison of the source files for PHP 5.2.16 vs 5.2.17 - as compared to the changes made by the Suhosin patch for PHP 5.2.16. None of the files that Suhosin 0.9.7 alters appear to have changed with PHP 5.2.17.

*** IMPORTANT ***

While this worked perfectly for me on a FreeBSD 7.3 32 bit server - your mileage may vary. I cannot guarantee this will work for you in your environment. Good luck!

I have attached my "suhosin-patch-5.2.17-0.9.7.patch.txt" to this post. Just remove the ".txt" extension at the end.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,159
Location
GMT +7.00
Anyone confirm this mehtod?
May it cause any issues?
In case this method is not working, the worst thing you might get is PHP without suhosin-patch, so feel free to check this out. And update us with your results.
 

Rezaa

Verified User
Joined
Dec 15, 2010
Messages
75
I've installed the patch and everything seems ok. But how can I check that is my php patched or not ?

In case this method is not working, the worst thing you might get is PHP without suhosin-patch, so feel free to check this out. And update us with your results.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,793
Location
A Coruña, Spain
Just run this:

Code:
php -v
You should have something like: PHP 5.3.8 with Suhosin-Patch (cli) (built: Nov 24 2011 12:11:04)

Regards
 

Oid

New member
Joined
Jan 30, 2011
Messages
4
hello,

i'm testing with suhosin on our testing envoirment.

the patch is working, but i don't get suhosin.executor.func.blacklist working.

what i'm doing wrong?

tested on multiply servers with php 5.3.10, 5.2.16, 5.2.17

output of php -v:
Code:
PHP 5.2.17 with Suhosin-Patch 0.9.7 (cli) (built: Feb 20 2012 12:54:27)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies
    with the ionCube PHP Loader v4.0.10, Copyright (c) 2002-2011, by ionCube Ltd.

httpd.conf
Code:
# Auto generated apache config file by DirectAdmin version 1.40.3
# Modifying this file is not recommended as any changes you make will be
# overwritten when the user makes any changes to his/her website

# For global config changes that affect all Users, see this guide:
# http://help.directadmin.com/item.php?id=2
# For local config changes that only affect one User, see this guide:
# http://help.directadmin.com/item.php?id=3

# Frontpage requires these parameters in every httpd.conf file or else
# it won't work.
ServerRoot /etc/httpd



<VirtualHost *.*.*.*:80 >


	ServerName www.testwebserver.com
	ServerAlias www.testwebserver.com testwebserver.com 
	ServerAdmin webmaster@testwebserver.com
	DocumentRoot /home/test/domains/testwebserver.com/public_html
	ScriptAlias /cgi-bin/ /home/test/domains/testwebserver.com/public_html/cgi-bin/

	UseCanonicalName OFF

	#SuexecUserGroup test test
	RMode config
	RUidGid test test
	RGroups apache
	
	#RDocumentChRoot /home/test /home/test/domains/testwebserver.com/public_html
	CustomLog /var/log/httpd/domains/testwebserver.com.bytes bytes
	CustomLog /var/log/httpd/domains/testwebserver.com.log combined
	ErrorLog /var/log/httpd/domains/testwebserver.com.error.log

	<Directory /home/test/domains/testwebserver.com/public_html>
		Options +Includes -Indexes
	php_admin_value upload_tmp_dir "/home/test/tmp"
	php_admin_value suhosin.executor.func.blacklist "system, shell_exec, exec, passthru, php_uname, popen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid,posix_setgid, posix_uname, proc_close, proc_nice, proc_open, proc_terminate"
	php_admin_value session.save_path "/home/test/tmp"
	php_admin_value soap.wsdl_cache_dir "/home/test/tmp"
	php_admin_value eaccelerator.cache_dir "/home/test/tmp/eaccelerator"

		php_admin_flag engine ON
		<IfModule !mod_php6.c>
			php_admin_flag safe_mode OFF
		</IfModule>
		php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f test@testwebserver.com'


		php_admin_value open_basedir /home/test/:/tmp:/var/tmp:/usr/local/lib/php/


	</Directory>
	<Location /phpMyAdmin>
		RMode config
		RUidGid webapps webapps
		RGroups apache
	</Location>
        <Location /phpmyadmin>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /squirrelmail>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /roundcube>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /uebimiau>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /webmail>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /atmail>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>



</VirtualHost>




<VirtualHost *.*.*.*:443 >

	SSLEngine on
	SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
	SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
	

	ServerName www.testwebserver.com
	ServerAlias www.testwebserver.com testwebserver.com 
	ServerAdmin webmaster@testwebserver.com
	DocumentRoot /home/test/domains/testwebserver.com/private_html
	ScriptAlias /cgi-bin/ /home/test/domains/testwebserver.com/public_html/cgi-bin/

	UseCanonicalName OFF

	#SuexecUserGroup test test
	RMode config
	#RDocumentChRoot /home/test /home/test/domains/testwebserver.com/private_html
	RUidGid test test
	RGroups apache
	
	CustomLog /var/log/httpd/domains/testwebserver.com.bytes bytes
	CustomLog /var/log/httpd/domains/testwebserver.com.log combined
	ErrorLog /var/log/httpd/domains/testwebserver.com.error.log

	<Directory /home/test/domains/testwebserver.com/private_html>
		Options +Includes -Indexes
	php_admin_value upload_tmp_dir "/home/test/tmp"
	php_admin_value suhosin.executor.func.blacklist "system, shell_exec, exec, passthru, php_uname, popen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid,posix_setgid, posix_uname, proc_close, proc_nice, proc_open, proc_terminate"
        php_admin_value session.save_path "/home/test/tmp"
        php_admin_value soap.wsdl_cache_dir "/home/test/tmp"
        php_admin_value eaccelerator.cache_dir "/home/test/tmp/eaccelerator"


		php_admin_flag engine ON
		<IfModule !mod_php6.c>
			php_admin_flag safe_mode OFF
		</IfModule>
		php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f test@testwebserver.com'


		php_admin_value open_basedir /home/test/:/tmp:/var/tmp:/usr/local/lib/php/


	</Directory>
	<Location /phpMyAdmin>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /phpmyadmin>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /squirrelmail>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /roundcube>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /uebimiau>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /webmail>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /atmail>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>



</VirtualHost>

when i'm running this script:

Code:
<?php
$output = shell_exec('ls -lart');
echo "<pre>$output</pre>";

?>
i get
Code:
total 12
drwx--x--x 9 test test 4096 Feb 16 00:12 ..
drwxr-xr-x 2 test test 4096 Feb 20 11:57 .
-rw-r--r-- 1 test test 80 Feb 20 12:03 index.php

tried it over and over and over, but no result. Also with the module it is not working...


thank you.
 

blaszlo

Verified User
Joined
Jun 9, 2008
Messages
116
When I go to install PHP 5.3.x from custombuild, it appears that it has downloaded 5.3.10... No big deal given that there are some major security flaws in 5.3.9, but Suhosin does not have a patch for 5.3.10 (at least not yet). Any suggestions there? Or is there a way to make the 5.3.9 patch work with PHP 5.3.10?
 

enkrypt

Verified User
Joined
Feb 3, 2011
Messages
38
I cannot seem to get this to compile with PHP 5.3.13
It fails at the patch command with a "Can't Locate File" to patch - This forces me to simply use the extension.

Is it even worth installing suhosin anymore? Since it is pretty much discontinued...
 
Last edited:

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,793
Location
A Coruña, Spain
Untill there will not be the suhosin patch for this PHP version maybe you should consider to use suhosin as extension.

Regards
 

Spark

Verified User
Joined
Aug 25, 2006
Messages
109
this can actually be automated a bit... I have my own custom script that does it outside of custombuild, but a while back I talked with smtalk and got instructions on how to hook and detect custombuild php version... once I get my solution integrated into custombuild I will update the thread.

There is only one downside to automating it, and that is you have to wait for suhosin to release their patch before you can run custombuild to upgrade php... Maybe smtalk has a way to skip php build with error message that latest suhosin patch not available yet
 
Top