Weblog entry #158 for simonw
See all weblog entries made by simonw.
#158
Suhosin Revisited
Posted by simonw on Thu 29 Mar 2007 at 21:59
Trying out Suhosin on one of the servers here in anger after my article;
http://www.debian-administration.org/articles/498
After ploughing through the documentation for all the settings I decided to try the settings below in my /etc/php5/conf.d/suhosin.ini file;
#suhosin.cookie.cryptkey="<removed>"
#suhosin.cookie.encrypt=1
suhosin.executor.disable_emodifier=1
#suhosin.executor.disable_eval=1
suhosin.executor.func.blacklist=phpinfo
suhosin.executor.include.max_traversal=4
suhosin.executor.max_depth=100
suhosin.filter.action="403"
suhosin.mail.protect=2
suhosin.memory.limit=20M
#suhosin.session.cryptkey="<removed>"
These settings seemed "reasonable" for my use, although I knew from a quick grep that "eval" was used in Squirrelmail addressbook.php. This use of "eval" to select from various classes, is considered one of the few acceptable uses. Although I could probably hard code the backend, or code to avoid "eval", easily enough. I'm not fighting it, I'm after low hanging fruit, like the mail protection.
The cookie and session encryption seemed to upset the session handling in a 3rd party bulletin board, hence being commented out as well.
Suhosin encryption doesn't do anything till you set the keys (obvious, but someone will be missing them!), I checked if it tried to do something by default, but it doesn't.
The settings above represent additional security settings over the Suhosin defaults on Debian Etch.
http://www.debian-administration.org/articles/498
After ploughing through the documentation for all the settings I decided to try the settings below in my /etc/php5/conf.d/suhosin.ini file;
#suhosin.cookie.cryptkey="<removed>"
#suhosin.cookie.encrypt=1
suhosin.executor.disable_emodifier=1
#suhosin.executor.disable_eval=1
suhosin.executor.func.blacklist=phpinfo
suhosin.executor.include.max_traversal=4
suhosin.executor.max_depth=100
suhosin.filter.action="403"
suhosin.mail.protect=2
suhosin.memory.limit=20M
#suhosin.session.cryptkey="<removed>"
These settings seemed "reasonable" for my use, although I knew from a quick grep that "eval" was used in Squirrelmail addressbook.php. This use of "eval" to select from various classes, is considered one of the few acceptable uses. Although I could probably hard code the backend, or code to avoid "eval", easily enough. I'm not fighting it, I'm after low hanging fruit, like the mail protection.
The cookie and session encryption seemed to upset the session handling in a 3rd party bulletin board, hence being commented out as well.
Suhosin encryption doesn't do anything till you set the keys (obvious, but someone will be missing them!), I checked if it tried to do something by default, but it doesn't.
The settings above represent additional security settings over the Suhosin defaults on Debian Etch.
Comments on this Entry
Squirrelmail also used the "/e" modifier in regular expressions for decoding (us_ascii, iso_8859_1 and utf8).
[ Parent | Reply to this comment ]