From owner-freebsd-questions@FreeBSD.ORG Wed Oct 15 20:06:10 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 838DB106564A for ; Wed, 15 Oct 2008 20:06:10 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA10.westchester.pa.mail.comcast.net (qmta10.westchester.pa.mail.comcast.net [76.96.62.17]) by mx1.freebsd.org (Postfix) with ESMTP id 23E738FC19 for ; Wed, 15 Oct 2008 20:05:56 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA04.westchester.pa.mail.comcast.net ([76.96.62.35]) by QMTA10.westchester.pa.mail.comcast.net with comcast id T0Qj1a00M0ldTLk5A85tAa; Wed, 15 Oct 2008 20:05:53 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA04.westchester.pa.mail.comcast.net with comcast id T85s1a0042P6wsM3Q85scx; Wed, 15 Oct 2008 20:05:53 +0000 X-Authority-Analysis: v=1.0 c=1 a=ar0thLs_cGMA:10 a=5p311MEep0gA:10 a=bb-Oy90fAAAA:8 a=QycZ5dHgAAAA:8 a=9T2fb8kRxBMCfPF6fCUA:9 a=5U63WuuQ8AuVnEvsqYYA:7 a=1iS_FWx5b9jgclArrekEOrWYGtoA:4 a=EoioJ0NPDVgA:10 a=SV7veod9ZcQA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id EDD12C941C; Wed, 15 Oct 2008 13:05:51 -0700 (PDT) Date: Wed, 15 Oct 2008 13:05:51 -0700 From: Jeremy Chadwick To: Matt Message-ID: <20081015200551.GA87569@icarus.home.lan> References: <48F62774.2060609@k18.ch> <20081015185509.GB84864@icarus.home.lan> <48F643D1.3020500@infracaninophile.co.uk> <20081015193541.GA85764@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Alain Wolf , freebsd-questions@freebsd.org Subject: Re: [Fwd: Suhosin Segmentation Fault] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2008 20:06:10 -0000 On Wed, Oct 15, 2008 at 02:47:00PM -0500, Matt wrote: > On Wed, Oct 15, 2008 at 2:35 PM, Jeremy Chadwick wrote: > > On Wed, Oct 15, 2008 at 08:26:09PM +0100, Matthew Seaman wrote: > >> Jeremy Chadwick wrote: > >> > >>> Suhosin is not an extension you load in extensions.ini; it's a patch > >>> applied to the core of PHP. > >> > >> % grep suhosin /usr/local/etc/php/extensions.ini > >> extension=suhosin.so > >> > >> It's both a set of patches to the PHP core, and a loadable module. > >> > >> Cheers, > >> > >> Matthew > > > > Are you sure? > > Yes - the suhosin extension is located in the ports tree at: > /usr/ports/security/php-suhosin > > Install instructions are at: > http://www.hardened-php.net/suhosin/how_to_install_or_upgrade.html#installing_the_extension > > It's been a while since I've looked at the suhosin options and I can't > remember what the differences are between the extension and the > core-php patch. Deep within their forums, I found an answer in a thread. The thread pointed me to this: http://www.hardened-php.net/suhosin/a_feature_list.html "Engine Protection" is not available in security/php-suhosin. Seems to me that the benefits of using the patch version easily outweigh that of the extension version, solely for protection against formatted string vulnerabilities. I also found this amusing tidbit, which is a sticky post on their forum: http://forum.hardened-php.net/viewtopic.php?id=122 That sticky also states that pspell.so will cause Suhosin to crash, advocating that pspell.so must come last in extension.so, but then also advocates simply not using pspell at all. I'm sure that does nothing but confuse users. Seems the OP has also posted there: http://forum.hardened-php.net/viewtopic.php?id=501 It would be interesting to know if the segfaults people experience are specific to the extension version of Suhosin. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |