Suhosin is a package designed to harden PHP, in the sense that it addresses potential vulnerabilities that might be introduced through user scripts. It comes as both a patch which can be applied directly to the PHP source code and as an extension that can be built for PHP.
This article looks at how to add the Suhosin extension to PHP running on Amazon’s Linux distribution.
Change to superuser so as to not have to prefix every command with sudo:
sudo -i
Download and verify Suhosin source:
cd /usr/local/src wget http://www.hardened-php.net/hardened-php-signature-key.asc gpg --import < hardened-php-signature-key.asc wget http://download.suhosin.org/suhosin-0.9.32.1.tar.gz md5sum suhosin-0.9.32.1.tar.gz wget http://download.suhosin.org/suhosin-0.9.32.1.tar.gz.sig gpg suhosin-0.9.32.1.tar.gz.sig
Extract Suhosin and compile extension:
tar -xzvf suhosin-0.9.32.1.tar.gz cd suhosin-0.9.32.1 phpize ./configure make make install
Add extension to PHP, restart apache, and return to non-elevated user:
echo "extension=suhosin.so" | tee /etc/php.d/suhosin.ini service httpd restart exit
A fairly straightforward installation, with no real snags along the way. Successful installation can be confirmed by viewing the output of phpinfo(); which should have a new section for Suhosin as well as display the following:
...with Suhosin v0.9.32.1...
One quick point of mention is that some scripts (e.g. RoundCube) do not work well with the encrypted sessions setting. To disable, simply the following to your php.ini (or suhosin.ini):
suhosin.session.encrypt=Off
