Compiling PHP with Suhosin

So upon checking I noticed they released PHP 5.2.11. I still haven’t upgraded to PHP 5.3.0 because it breaks too many things and I haven’t bothered to figure out how to install both of them at the same time (Working on it though).  I’ve compiled PHP so many times I can do it quickly and from memory, so I figured I would start sharing some of that knowledge. This post is about compiling PHP with support for some popular addons, and a few security options you should use. I am assuming you use Apache 2 and Linux. I also assume you are root.

For this, I will be compiling in the Suhosin patch and extension, and enabling various database and other modules that come in handy when working with PHP. I’ve found that I need these to be able to use various software packages.

The first step is to go to and get the url for the download. For PHP 5.2.11 that url is

  1. mkdir /root/phptemp; cd /root/phptemp
  2. wget
  3. tar -jxvf php-5.2.11.tar.bz2
  4. Now we need to grab the latest Suhosin and hardened PHP patches
  5. wget
  6. wget
  7. tar -xvzf suhosin-0.9.29.tgz
  8. gunzip suhosin-patch-5.2.11-0.9.7.patch.gz
  9. Please note that I skipped the signature testing of the two files. This is optional but recommended that you do not skip
  10. cd php-5.2.11
  11. patch -p 1 -i ../suhosin-patch-5.2.11-0.9.7.patch
  12. The next step involves configuring PHP. You may need to modify some of the paths or install some required software packages
  13. ./configure –with-apxs2=/usr/sbin/apxs –without-sqlite –with-mysql –with-mysqli –with-zlib –with-bz2 –with-gd –with-curl –with-openssl –with-mcrypt –with-mhash –enable-mbstring –with-kerberos –with-imap-ssl –prefix=/usr –with-config-file-path=/etc -with-gettext –with-ttf –enable-exif –with-pear –enable-gd-native-ttf  –with-freetype-dir=/usr/include/freetype2/freetype –with-jpeg-dir=/usr/bin –with-png-dir=/usr/bin –enable-calendar
  14. make
  15. make test
  16. make test may not work if you are upgrading and have disabled certain functions
  17. make install
  18. make clean

Ok, so now PHP is installed/upgraded and now we need to compile and install the Suhosin extension.

  1. cd /root/phptemp/cd suhosin-0.9.29
  2. phpize
  3. ./configure
  4. make
  5. make install
  6. vi /etc/php.ini
  7. Find the extensions section (Or just append to the bottom)

This is not a complete resource for install PHP and Suhosin. I really recommend you read about Suhosin on their website. It is best if you understand this really amazing product.

Now the Suhosin extension is installed, and enabled, but some of the other extensions may or may not of been enabled. Use the above syntax of to enable them, restarted Apache after each one to make sure everything works OK.

I use the following option to disable various functions that aren’t normally needed and could pose a security risk.

disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get,ftp_login, ftp_nb_fput,ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode,phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid,posix_setuid, posix_setuid, posix_uname, shell_exec, syslog, system, xmlrpc_entity_decode,proc_close, proc_get_status, proc_nice, proc_open, proc_terminate"

I set all of my open_basedir options for each virtual host, but I also set a default option just in case. For my server, I have Apache setup using the webroot /chroot/www with a symlink /www pointing to /chroot/www. In my php.ini file, I set open_basedir = /www as a failsafe.

Next to come is my guide on installing Apache 2 with PHP and MySQL support, as well as mod_chroot and other security mods.


Leave a Reply