The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do I modify suhosin settings?

Discussion in 'General Discussion' started by mikelegg, Jul 19, 2011.

  1. mikelegg

    mikelegg Well-Known Member

    Joined:
    Mar 29, 2005
    Messages:
    330
    Likes Received:
    0
    Trophy Points:
    16
    I want to change my suhosin configuration which supposedly done via the php.ini file. (Hardened-PHP Project - PHP Security - Configuration)

    I opened the PHP Configuration Editor to do this (to prevent changes from being overwritten) and clicked on the "Advanced" option, but the suhosin options aren't there.

    So I took a look at /usr/local/lib/php.ini and the settings aren't in there either.

    I know suhosin is installed and running - but I can't find it's configuration file - can anybody throw any light on this?
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Can you check with php -v to ensure it is installed?

    Code:
    php -v
    You might try uninstalling and reinstalling it:

    Code:
    /scripts/phpextensionmgr uninstall PHPSuHosin
    /scripts/phpextensionmgr install PHPSuHosin
    Those SuHosin settings should be in /usr/local/lib/php.ini file.
     
  3. mikelegg

    mikelegg Well-Known Member

    Joined:
    Mar 29, 2005
    Messages:
    330
    Likes Received:
    0
    Trophy Points:
    16
    Thnaks Tristan

    It's definitley there -

    I'll try the uninstall / reinstall and see what happens.
     
  4. mikelegg

    mikelegg Well-Known Member

    Joined:
    Mar 29, 2005
    Messages:
    330
    Likes Received:
    0
    Trophy Points:
    16
    I did the uninstall/reinstall but the settings still don't appear in php.ini.

    Yet phpinfo() says that suhosin is installed and the messages log shows requests being blocked by suhosin (eg. suhosin[7123]: ALERT - configured GET variable limit exceeded)
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I was incorrect myself on the behavior. Only the suhosin.so extension is loaded into php.ini file as suhosin comes with default options already set. In order to change those options, you'd need to add them to the existing /usr/local/lib/php.ini file if they aren't there. For some reason, I had thought that they were added previously, but after installing suhosin on my server again, the settings aren't appearing in the global php.ini file.

    These are the settings you can add to the existing /usr/local/lib/php.ini file:

    You can review Hardened-PHP Project - PHP Security - Configuration location for any details on the various settings.
     
  6. mikelegg

    mikelegg Well-Known Member

    Joined:
    Mar 29, 2005
    Messages:
    330
    Likes Received:
    0
    Trophy Points:
    16
    Thanks Tristan
     
  7. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Thanks Tristan - my question was the same as the above, as to where to find the configuration settings, but I'm entirely unclear on why the suhosin configuration settings are not in place at all. How is it that suhosin appears to be taking actions - at least by logging memory alerts - when it is not at all configured?

    Also, what does the lack of configuration mean that it is actually supposed to be doing by default? Does the lack of configuration settings effectively mean that it offers none of the advertised protections until they are configured?

    Thanks.

    Mike
     
  8. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    If you don't have specific suhosin.* directives in your php.ini, Suhosin uses the defaults set during compile time.

    The best thing for you to do is put <? phpinfo(); ?> into a php file and call it via a web browser. You'll then see all of the suhosin.* directives as well as what they are currently set to. Of course remove that file when you're done so nobody else can view it.

    Compare the suhosin.* values in your phpinfo with all of the directive options available at Hardened-PHP Project - PHP Security - Configuration, and then adjust your configuration accordingly if you feel it is necessary to do so.

    No -- the lack of specific configuration directives does NOT mean that it isn't offering any protection. It just means it's using default settings.

    M
     
  9. lbeachmike

    lbeachmike Well-Known Member

    Joined:
    Dec 27, 2001
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Long Beach, NY
    cPanel Access Level:
    Root Administrator
    Incidentally, if I make the change I need in php.ini, won't that get over-written with an upgrade? How can I make this change so that the change will be preserved with upgrades?

    Thanks.

    Mike
     
  10. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    php.ini (whether it is /usr/local/lib/php.ini or if it is a custom php.ini you have somewhere for a specific user] should not ever get overwritten. It may get "modified" -- such as when you install suhosin it will add the extension line to the php.ini. But it doesn't get overwritten.

    Of course, if you have a php.ini in place that is customized, make a backup of it just in case. But it should never get totally overwritten by a completely new/different php.ini.

    Mike
     
Loading...

Share This Page