suhosin and 5.4 onwards

Discussion:

Nick Edwards

2013-08-03 06:38:49 UTC

Ok, so I know this might start flame wars, but... here goes ;)

It seems suhosin is dead as far as 5.4 goes, now, some make
allegations that it is no longer needed since php has allegedly
incorporated much of its safe guards, but these claims are from self
proclaimed experts (a term i use very loosley) on forums and blogs.

So, is the general opinion here, from actual "factual experience" and
not because you read the same trashy bloggers as I did, in agreeance?
is it genuinely true that suhosin is now irrelevant with 5.4 upwards
and php is now much safer on its own?

We have always appreciated its work to stop plugins and so forth
escaping local jails by example open_base or some other lock-down
type setting, plus injections and so forth.

if php has incorporated such, thats fine, but I have no idea where to
turn to ask for factual information on this, so I'm asking here and
hope that a dev or someone in the inner circle knows the facts, and
not rumours or sumizes, or a tleast more facts than half the self
appointed gurus claim :)

Thanks
Nikki

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Daniel

2013-08-03 07:06:20 UTC

Permalink

Well I do not use suhosin as I can lock down PHP with things like
disable_function, disable_classes along with more advance function
such as chroot and mod_security.

Post by Nick Edwards
Ok, so I know this might start flame wars, but... here goes ;)
It seems suhosin is dead as far as 5.4 goes, now, some make
allegations that it is no longer needed since php has allegedly
incorporated much of its safe guards, but these claims are from self
proclaimed experts (a term i use very loosley) on forums and blogs.
So, is the general opinion here, from actual "factual experience" and
not because you read the same trashy bloggers as I did, in agreeance?
is it genuinely true that suhosin is now irrelevant with 5.4 upwards
and php is now much safer on its own?
We have always appreciated its work to stop plugins and so forth
escaping local jails by example open_base or some other lock-down
type setting, plus injections and so forth.
if php has incorporated such, thats fine, but I have no idea where to
turn to ask for factual information on this, so I'm asking here and
hope that a dev or someone in the inner circle knows the facts, and
not rumours or sumizes, or a tleast more facts than half the self
appointed gurus claim :)
Thanks
Nikki
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
Regards,
Daniel Fenn
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Lester Caine

2013-08-03 08:50:40 UTC

Permalink

Post by Nick Edwards
So, is the general opinion here, from actual "factual experience" and
not because you read the same trashy bloggers as I did, in agreeance?
is it genuinely true that suhosin is now irrelevant with 5.4 upwards
and php is now much safer on its own?

Practical experience is that suhosin does not actually work with 5.4?
I've had to disable it because of problems with session handling amongst other
things and don't have time to investigate why.
Would I prefer to re-enable it - YES - and it's one of a number of reasons that
have been making switching currently stable PHP5.2 servers over to 5.4 less
attractive.
The amount of time I'm wasting on coping with many of the so called improvements
across the whole Linux platform is making me feel that commercial interests are
actually in control rather than users/developers? Staying with stable platforms
that we are comfortable with is just not practical :(
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Res

2013-08-03 09:32:19 UTC

Permalink

Post by Lester Caine
Practical experience is that suhosin does not actually work with 5.4?

Not without _unofficial_ patch(es) see attached for sessions, if it
doesnt go through on list you can find the patch on github

Post by Lester Caine
I've had to disable it because of problems with session handling amongst other
things and don't have time to investigate why.

There was a patch on suhosin mailing list for that, a few people who
tried it out said it worked. I've not yet bothered, but...

I saw a post from Steffen saying he has no time for suhosin and the
project is being taken over by someone else, I think the jury is out on
if it will ever revive, in meantime, php 5.3 works fine. if only php
devs would stop fscking changing everything every time they release a
new version, frustrating to many.

And people who reply on mod_security are no more protected than what is
being done here, since mod_security has not had the best track record
itself in the past.

Post by Lester Caine
Would I prefer to re-enable it - YES - and it's one of a number of reasons that
have been making switching currently stable PHP5.2 servers over to 5.4 less
attractive.
The amount of time I'm wasting on coping with many of the so called improvements
across the whole Linux platform is making me feel that commercial interests are

Thats why I recommend distros that dont want to change the world and
stick by tried and time proven, like slackware and gentoo, but this isnt
an os flame against others, I use opensuse as well on pc's and laptops.

Everything just looks after itself :)