One of my projects for the “holidays” is moving one of my servers from Gentoo to Ubuntu. During planning for this, I noticed that the Ubuntu version of PHP5 includes Suhosin. That’s a problem.

The problem with Suhosin is that it’s designed to stop sloppy applications from doing bad things. I’m sure it does a reasonable job of that, but in the process it can interfere with good applications (see examples for Joomla). Since I’m in the business of writing good applications, Suhosin is a bad idea. Worse yet, it can provide a false sense of security, since it can’t deal with anything except typical PHP errors. As far as I’m concerned, this class of “security blanket” provides false comfort and is no replacement for auditing and testing.
So there’s the rationale. Here is the method:

  • Create a working directory:
    mkdir packages
  • Enter the directory:
    cd packages
  • If you haven’t built a Debian package before get development scripts:
    sudo apt-get install devscripts
  • If this system hasn’t been used for development, you need a minimal tool set:
    sudo apt-get install gcc debhelper fakeroot
  • Get the PHP5 source (do not use sudo on this one):
    apt-get source php5
  • Enter the PHP5 directory (versions may vary, at the moment it is php5-5.2.4):
    cd php5-5.x.y
  • Ensure an unmodified PHP will build. This might take some time as it fetches various dependencies.
    sudo apt-get build-dep php5
  • Remove the patch file:
    rm debian/patches/suhosin.patch
  • Remove the reference to the patch (delete the line that contains suhosin.patch with Ctrl-K, then Ctrl-O to save and Ctrl-X to exit):
    nano debian/patches/series
  • Increment the version number. This can be problematic. Your version number is likely to be different from the one listed here, and I found some reports that having the string “suhosin” in the version can confuse some applications into thinking Suhosin is installed. I simply appended “.1~custom” to the current package version:
    debchange -v 5.2.4-2ubuntu5.4.1~custom
  • The version bump will pop the nano text editor. Move to the end of the auto-selected line, enter a comment like “Removed Suhosin.” then press Ctrl-O to save, Ctrl-X to exit.
  • Finally build the package (note only one “b” in “deb build”):
    debuild
  • Take a break, the build will take a while. Ignore the hundreds of warnings that scroll past.
  • You should have new packages:
    ls ../php5*
  • Quick and dirty install (might break stuff):
    sudo dpkg -i ../*.deb
    [I will look for a better way and update this if I find it.]

Credits: I found this process in the Ubuntu forums. This version accounts for a few problems I encountered when following the original. I am anything but a build expert, and any requests for assistance are likely to be ignored or met with “beats me”. Your mileage may vary.

Mastodon