How do I modify suhosin settings?

[mikelegg]

I want to change my suhosin configuration which supposedly done via the php.ini file. (Hardened-PHP Project - PHP Security - Configuration)

I opened the PHP Configuration Editor to do this (to prevent changes from being overwritten) and clicked on the "Advanced" option, but the suhosin options aren't there.

So I took a look at /usr/local/lib/php.ini and the settings aren't in there either.

I know suhosin is installed and running - but I can't find it's configuration file - can anybody throw any light on this?

[cPanelTristan]

Can you check with php -v to ensure it is installed?

Code:

php -v

You might try uninstalling and reinstalling it:

Code:

/scripts/phpextensionmgr uninstall PHPSuHosin
/scripts/phpextensionmgr install PHPSuHosin

Those SuHosin settings should be in /usr/local/lib/php.ini file.

[mikelegg]

Thnaks Tristan

It's definitley there -

[~]# php -v
PHP 5.2.14 (cli) (built: Aug 9 2010 20:47:05)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies
with eAccelerator v0.9.6.1, Copyright (c) 2004-2010 eAccelerator, by eAccelerator
with the ionCube PHP Loader v3.3.20, Copyright (c) 2002-2010, by ionCube Ltd., and
with Zend Optimizer v3.3.9, Copyright (c) 1998-2009, by Zend Technologies
with Suhosin v0.9.31, Copyright (c) 2007-2010, by SektionEins GmbH

I'll try the uninstall / reinstall and see what happens.

[mikelegg]

I did the uninstall/reinstall but the settings still don't appear in php.ini.

Yet phpinfo() says that suhosin is installed and the messages log shows requests being blocked by suhosin (eg. suhosin[7123]: ALERT - configured GET variable limit exceeded)

[cPanelTristan]

I was incorrect myself on the behavior. Only the suhosin.so extension is loaded into php.ini file as suhosin comes with default options already set. In order to change those options, you'd need to add them to the existing /usr/local/lib/php.ini file if they aren't there. For some reason, I had thought that they were added previously, but after installing suhosin on my server again, the settings aren't appearing in the global php.ini file.

These are the settings you can add to the existing /usr/local/lib/php.ini file:

; Logging Configuration
suhosin.log.syslog.facility = 9
suhosin.log.use-x-forwarded-for = Off

; Executor Options
suhosin.executor.max_depth = 0
suhosin.executor.include.max_traversal = 4
suhosin.executor.disable_emodifier = Off
suhosin.executor.allow_symlink = Off

; Misc Options
suhosin.simulation = Off
suhosin.apc_bug_workaround = Off
suhosin.sql.bailout_on_error = Off
suhosin.multiheader = Off
suhosin.mail.protect = 1
suhosin.memory_limit = 20

; Transparent Encryption Options
suhosin.session.encrypt = On
suhosin.session.cryptua = On
suhosin.session.cryptdocroot = On
suhosin.session.cryptraddr = 0
suhosin.cookie.encrypt = On
suhosin.cookie.cryptua = On
suhosin.cookie.cryptraddr = 0

; Filtering Options
suhosin.filter.action = 406
suhosin.cookie.max_array_depth = 100
suhosin.cookie.max_array_index_length = 64
suhosin.cookie.max_name_length = 64
suhosin.cookie.max_totalname_length = 256
suhosin.cookie.max_value_length = 10000
suhosin.cookie.max_vars = 100
suhosin.cookie.disallow_nul = On
suhosin.get.max_array_depth = 50
suhosin.get.max_array_index_length = 64
suhosin.get.max_name_length = 64
suhosin.get.max_totalname_length = 256
suhosin.get.max_value_length = 512
suhosin.get.max_vars = 100
suhosin.get.disallow_nul = On
suhosin.post.max_array_depth = 100
suhosin.post.max_array_index_length = 64
suhosin.post.max_totalname_length = 256
suhosin.post.max_value_length = 65000
suhosin.post.max_vars = 200
suhosin.post.disallow_nul = On
suhosin.request.max_array_depth = 100
suhosin.request.max_array_index_length = 64
suhosin.request.max_totalname_length = 256
suhosin.request.max_value_length = 65000
suhosin.request.max_vars = 200
suhosin.request.max_varname_length = 64
suhosin.request.disallow_nul = On
suhosin.upload.max_uploads = 25
suhosin.upload.disallow_elf = On
suhosin.upload.disallow_binary = Off
suhosin.upload.remove_binary = Off
suhosin.session.max_id_length = 128

You can review Hardened-PHP Project - PHP Security - Configuration location for any details on the various settings.

[mikelegg]

Thanks Tristan

[lbeachmike]

Thanks Tristan - my question was the same as the above, as to where to find the configuration settings, but I'm entirely unclear on why the suhosin configuration settings are not in place at all. How is it that suhosin appears to be taking actions - at least by logging memory alerts - when it is not at all configured?

Also, what does the lack of configuration mean that it is actually supposed to be doing by default? Does the lack of configuration settings effectively mean that it offers none of the advertised protections until they are configured?

Thanks.

Mike

[mtindor]

If you don't have specific suhosin.* directives in your php.ini, Suhosin uses the defaults set during compile time.

The best thing for you to do is put <? phpinfo(); ?> into a php file and call it via a web browser. You'll then see all of the suhosin.* directives as well as what they are currently set to. Of course remove that file when you're done so nobody else can view it.

Compare the suhosin.* values in your phpinfo with all of the directive options available at Hardened-PHP Project - PHP Security - Configuration, and then adjust your configuration accordingly if you feel it is necessary to do so.

No -- the lack of specific configuration directives does NOT mean that it isn't offering any protection. It just means it's using default settings.

M

[lbeachmike]

Incidentally, if I make the change I need in php.ini, won't that get over-written with an upgrade? How can I make this change so that the change will be preserved with upgrades?

Thanks.

Mike

[mtindor]

php.ini (whether it is /usr/local/lib/php.ini or if it is a custom php.ini you have somewhere for a specific user] should not ever get overwritten. It may get "modified" -- such as when you install suhosin it will add the extension line to the php.ini. But it doesn't get overwritten.

Of course, if you have a php.ini in place that is customized, make a backup of it just in case. But it should never get totally overwritten by a completely new/different php.ini.

Mike