recompile PHP with Suhosin

I did everything how it's written but "make" gives me " *** No targets specified and no makefile found. stop. " I run Debian 5 with php5.2.14 and did:


cd /usr/local/directadmin/custombuild
./build update
./build set clean no
tar xzf php-5.2.14.tar.gz
wget http://download.suhosin.org/suhosin-patch-5.2.14-0.9.7.patch.gz
gunzip suhosin-patch-5.2.14-0.9.7.patch.gz
patch -p0 < suhosin-patch-5.2.14-0.9.7.patch
cd php-5.2.14
`../build used_configs | grep PHP5 | cut -d: -f2`
make (THIS ISN't WORKING)
make install
/etc/init.d/httpd restart
cd ..
./build set clean yes


Why make gives this error?
 
Last edited:
try this:

Code:
cd /usr/local/directadmin/custombuild
rm -rf php*
./build update
./build set clean no
tar xzf php-5.2.13.tar.gz
wget http://download.suhosin.org/suhosin-patch-5.2.13-0.9.7.patch.gz
gunzip suhosin-patch-5.2.13-0.9.7.patch.gz
patch -p0 < suhosin-patch-5.2.13-0.9.7.patch
nano build
check for every FILE=${CWD}/php-${PHP5_VER} line and at 3 line down comment this corresponding line
#tar xzf ${FILE}
save and exit and run
./build php n
/etc/init.d/httpd restart
./build set clean yes

Regards
 
I have a question. What about "mail-header.patch" do I have to patch it before or after suhosin patch ?

patch -p0 < php-5.2.xx-mail-header.patch
 
cli vs cgi

all the info in here works great with cli but when it comes to cgi, it does not work and that`s because cgi in install in php5 folder vs cli who is installed in php folder. so the commands have to be modified to look for php.ini in php5
 
try this:

Code:
cd /usr/local/directadmin/custombuild
rm -rf php*
./build update
./build set clean no
tar xzf php-5.2.13.tar.gz
wget http://download.suhosin.org/suhosin-patch-5.2.13-0.9.7.patch.gz
gunzip suhosin-patch-5.2.13-0.9.7.patch.gz
patch -p0 < suhosin-patch-5.2.13-0.9.7.patch
nano build
check for every FILE=${CWD}/php-${PHP5_VER} line and at 3 line down comment this corresponding line
#tar xzf ${FILE}
save and exit and run
./build php n
/etc/init.d/httpd restart
./build set clean yes
Regards

Thanks SeLLeRoNe, I tried previous posts and it all failed, yours with some updating (versions) worked.

I needed to add exif to my php so I needed to recompile php, but suhosin is not available for the latest php version so I needed to use custombuild with an older version of php.

Here's what I did, hopefully it will help others;

Code:
cd /usr/local/directadmin/custombuild
rm -rf php*
rm -rf suh*
./build update
./build set clean no
nano versions.txt
change the php5:5.2.17 line to
php5:5.2.16:68f2c92b5b33d131b1ea70ece9fc40ad
./build update_data
tar xzf php-5.2.16.tar.gz
wget http://download.suhosin.org/suhosin-patch-5.2.16-0.9.7.patch.gz
gunzip suhosin-patch-5.2.16-0.9.7.patch.gz
patch -p0 < suhosin-patch-5.2.16-0.9.7.patch
nano build
check for every FILE=${CWD}/php-${PHP5_VER} line and at 3 line down comment this corresponding line
#tar xzf ${FILE}
save and exit
nano configure/suphp/configure.php5
add a \ to last line
add on the new line
"--enable-exif"
save and exit and run
./build php n
./build set clean yes
As you can see I changed the versions.txt to get the previous version of 5.2.16 instead of the current 5.2.17
It would be good if custombuild can have the option to overide the version instead of having to hack the code.
but either way, I'm no expert and I got it going so, thank you to SeLLeRoNe and smtalk.
 
So is there any new and better and easier way to get suhosin to work ? the info above did not work for me.
 
Last edited:
PHP 5.2.17 with Suhosin

For anyone interested in compiling PHP 5.2.17 with Suhosin patch 0.9.7 - I was able to do so using the following steps to create a "new" patch - followed by smtalk's instructions (second post in this thread):

1.) Download the Suhosin patch for PHP 5.2.16 (suhosin-patch-5.2.16-0.9.7.patch.gz)

2.) Gunzip (extract) to suhosin-patch-5.2.16-0.9.7.patch

3.) Rename the patch to suhosin-patch-5.2.17-0.9.7.patch (e.g. for PHP 5.2.17)

4.) Open the patch in a text editor and replace all instances of "5.2.16" with "5.2.17" (I used MetaPad on Windows 7) - completed in a few seconds.

5.) At this point - follow smtalk's instructions for patching PHP by downloading a new copy of php-5.2.17.tar.gz from the DA file repository.

An example of the changes you will see:

Code:
diff -Nura php-5.2.16/TSRM/TSRM.h suhosin-patch-5.2.16-0.9.7/TSRM/TSRM.h
--- php-5.2.16/TSRM/TSRM.h	2008-12-31 12:17:49.000000000 +0100
+++ suhosin-patch-5.2.16-0.9.7/TSRM/TSRM.h	2010-12-30 16:48:25.000000000 +0100

Becomes:

Code:
diff -Nura php-5.2.17/TSRM/TSRM.h suhosin-patch-5.2.17-0.9.7/TSRM/TSRM.h
--- php-5.2.17/TSRM/TSRM.h	2008-12-31 12:17:49.000000000 +0100
+++ suhosin-patch-5.2.17-0.9.7/TSRM/TSRM.h	2010-12-30 16:48:25.000000000 +0100

I had some spare time on my hands so I did a full text comparison of the source files for PHP 5.2.16 vs 5.2.17 - as compared to the changes made by the Suhosin patch for PHP 5.2.16. None of the files that Suhosin 0.9.7 alters appear to have changed with PHP 5.2.17.

*** IMPORTANT ***

While this worked perfectly for me on a FreeBSD 7.3 32 bit server - your mileage may vary. I cannot guarantee this will work for you in your environment. Good luck!

I have attached my "suhosin-patch-5.2.17-0.9.7.patch.txt" to this post. Just remove the ".txt" extension at the end.
 

Attachments

  • suhosin-patch-5.2.17-0.9.7.patch.txt
    92.8 KB · Views: 595
Anyone confirm this mehtod?
May it cause any issues?
I'm using Centos 5.5 along with PHP 5.2.17


For anyone interested in compiling PHP 5.2.17 with Suhosin patch 0.9.7 - I was able to do so using the following steps to create a "new" patch - followed by smtalk's instructions (second post in this thread):

1.) Download the Suhosin patch for PHP 5.2.16 (suhosin-patch-5.2.16-0.9.7.patch.gz)

2.) Gunzip (extract) to suhosin-patch-5.2.16-0.9.7.patch

3.) Rename the patch to suhosin-patch-5.2.17-0.9.7.patch (e.g. for PHP 5.2.17)

4.) Open the patch in a text editor and replace all instances of "5.2.16" with "5.2.17" (I used MetaPad on Windows 7) - completed in a few seconds.

5.) At this point - follow smtalk's instructions for patching PHP by downloading a new copy of php-5.2.17.tar.gz from the DA file repository.

An example of the changes you will see:

Code:
diff -Nura php-5.2.16/TSRM/TSRM.h suhosin-patch-5.2.16-0.9.7/TSRM/TSRM.h
--- php-5.2.16/TSRM/TSRM.h	2008-12-31 12:17:49.000000000 +0100
+++ suhosin-patch-5.2.16-0.9.7/TSRM/TSRM.h	2010-12-30 16:48:25.000000000 +0100

Becomes:

Code:
diff -Nura php-5.2.17/TSRM/TSRM.h suhosin-patch-5.2.17-0.9.7/TSRM/TSRM.h
--- php-5.2.17/TSRM/TSRM.h	2008-12-31 12:17:49.000000000 +0100
+++ suhosin-patch-5.2.17-0.9.7/TSRM/TSRM.h	2010-12-30 16:48:25.000000000 +0100

I had some spare time on my hands so I did a full text comparison of the source files for PHP 5.2.16 vs 5.2.17 - as compared to the changes made by the Suhosin patch for PHP 5.2.16. None of the files that Suhosin 0.9.7 alters appear to have changed with PHP 5.2.17.

*** IMPORTANT ***

While this worked perfectly for me on a FreeBSD 7.3 32 bit server - your mileage may vary. I cannot guarantee this will work for you in your environment. Good luck!

I have attached my "suhosin-patch-5.2.17-0.9.7.patch.txt" to this post. Just remove the ".txt" extension at the end.
 
Anyone confirm this mehtod?
May it cause any issues?

In case this method is not working, the worst thing you might get is PHP without suhosin-patch, so feel free to check this out. And update us with your results.
 
I've installed the patch and everything seems ok. But how can I check that is my php patched or not ?

In case this method is not working, the worst thing you might get is PHP without suhosin-patch, so feel free to check this out. And update us with your results.
 
Just run this:

Code:
php -v

You should have something like: PHP 5.3.8 with Suhosin-Patch (cli) (built: Nov 24 2011 12:11:04)

Regards
 
hello,

i'm testing with suhosin on our testing envoirment.

the patch is working, but i don't get suhosin.executor.func.blacklist working.

what i'm doing wrong?

tested on multiply servers with php 5.3.10, 5.2.16, 5.2.17

output of php -v:
Code:
PHP 5.2.17 with Suhosin-Patch 0.9.7 (cli) (built: Feb 20 2012 12:54:27)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies
    with the ionCube PHP Loader v4.0.10, Copyright (c) 2002-2011, by ionCube Ltd.


httpd.conf
Code:
# Auto generated apache config file by DirectAdmin version 1.40.3
# Modifying this file is not recommended as any changes you make will be
# overwritten when the user makes any changes to his/her website

# For global config changes that affect all Users, see this guide:
# http://help.directadmin.com/item.php?id=2
# For local config changes that only affect one User, see this guide:
# http://help.directadmin.com/item.php?id=3

# Frontpage requires these parameters in every httpd.conf file or else
# it won't work.
ServerRoot /etc/httpd



<VirtualHost *.*.*.*:80 >


	ServerName www.testwebserver.com
	ServerAlias www.testwebserver.com testwebserver.com 
	ServerAdmin [email protected]
	DocumentRoot /home/test/domains/testwebserver.com/public_html
	ScriptAlias /cgi-bin/ /home/test/domains/testwebserver.com/public_html/cgi-bin/

	UseCanonicalName OFF

	#SuexecUserGroup test test
	RMode config
	RUidGid test test
	RGroups apache
	
	#RDocumentChRoot /home/test /home/test/domains/testwebserver.com/public_html
	CustomLog /var/log/httpd/domains/testwebserver.com.bytes bytes
	CustomLog /var/log/httpd/domains/testwebserver.com.log combined
	ErrorLog /var/log/httpd/domains/testwebserver.com.error.log

	<Directory /home/test/domains/testwebserver.com/public_html>
		Options +Includes -Indexes
	php_admin_value upload_tmp_dir "/home/test/tmp"
	php_admin_value suhosin.executor.func.blacklist "system, shell_exec, exec, passthru, php_uname, popen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid,posix_setgid, posix_uname, proc_close, proc_nice, proc_open, proc_terminate"
	php_admin_value session.save_path "/home/test/tmp"
	php_admin_value soap.wsdl_cache_dir "/home/test/tmp"
	php_admin_value eaccelerator.cache_dir "/home/test/tmp/eaccelerator"

		php_admin_flag engine ON
		<IfModule !mod_php6.c>
			php_admin_flag safe_mode OFF
		</IfModule>
		php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f [email protected]'


		php_admin_value open_basedir /home/test/:/tmp:/var/tmp:/usr/local/lib/php/


	</Directory>
	<Location /phpMyAdmin>
		RMode config
		RUidGid webapps webapps
		RGroups apache
	</Location>
        <Location /phpmyadmin>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /squirrelmail>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /roundcube>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /uebimiau>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /webmail>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /atmail>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>



</VirtualHost>




<VirtualHost *.*.*.*:443 >

	SSLEngine on
	SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
	SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
	

	ServerName www.testwebserver.com
	ServerAlias www.testwebserver.com testwebserver.com 
	ServerAdmin [email protected]
	DocumentRoot /home/test/domains/testwebserver.com/private_html
	ScriptAlias /cgi-bin/ /home/test/domains/testwebserver.com/public_html/cgi-bin/

	UseCanonicalName OFF

	#SuexecUserGroup test test
	RMode config
	#RDocumentChRoot /home/test /home/test/domains/testwebserver.com/private_html
	RUidGid test test
	RGroups apache
	
	CustomLog /var/log/httpd/domains/testwebserver.com.bytes bytes
	CustomLog /var/log/httpd/domains/testwebserver.com.log combined
	ErrorLog /var/log/httpd/domains/testwebserver.com.error.log

	<Directory /home/test/domains/testwebserver.com/private_html>
		Options +Includes -Indexes
	php_admin_value upload_tmp_dir "/home/test/tmp"
	php_admin_value suhosin.executor.func.blacklist "system, shell_exec, exec, passthru, php_uname, popen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid,posix_setgid, posix_uname, proc_close, proc_nice, proc_open, proc_terminate"
        php_admin_value session.save_path "/home/test/tmp"
        php_admin_value soap.wsdl_cache_dir "/home/test/tmp"
        php_admin_value eaccelerator.cache_dir "/home/test/tmp/eaccelerator"


		php_admin_flag engine ON
		<IfModule !mod_php6.c>
			php_admin_flag safe_mode OFF
		</IfModule>
		php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f [email protected]'


		php_admin_value open_basedir /home/test/:/tmp:/var/tmp:/usr/local/lib/php/


	</Directory>
	<Location /phpMyAdmin>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /phpmyadmin>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /squirrelmail>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /roundcube>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /uebimiau>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /webmail>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>
        <Location /atmail>
                RMode config
                RUidGid webapps webapps
                RGroups apache
        </Location>



</VirtualHost>


when i'm running this script:

Code:
<?php
$output = shell_exec('ls -lart');
echo "<pre>$output</pre>";

?>

i get
Code:
total 12
drwx--x--x 9 test test 4096 Feb 16 00:12 ..
drwxr-xr-x 2 test test 4096 Feb 20 11:57 .
-rw-r--r-- 1 test test 80 Feb 20 12:03 index.php


tried it over and over and over, but no result. Also with the module it is not working...


thank you.
 
When I go to install PHP 5.3.x from custombuild, it appears that it has downloaded 5.3.10... No big deal given that there are some major security flaws in 5.3.9, but Suhosin does not have a patch for 5.3.10 (at least not yet). Any suggestions there? Or is there a way to make the 5.3.9 patch work with PHP 5.3.10?
 
I cannot seem to get this to compile with PHP 5.3.13
It fails at the patch command with a "Can't Locate File" to patch - This forces me to simply use the extension.

Is it even worth installing suhosin anymore? Since it is pretty much discontinued...
 
Last edited:
Untill there will not be the suhosin patch for this PHP version maybe you should consider to use suhosin as extension.

Regards
 
this can actually be automated a bit... I have my own custom script that does it outside of custombuild, but a while back I talked with smtalk and got instructions on how to hook and detect custombuild php version... once I get my solution integrated into custombuild I will update the thread.

There is only one downside to automating it, and that is you have to wait for suhosin to release their patch before you can run custombuild to upgrade php... Maybe smtalk has a way to skip php build with error message that latest suhosin patch not available yet
 
Back
Top