debian sqeeze remove suhosin patch

Today I will talk about my troubles around a server with Suhosin patch and how Debian Sqeeze handles it. Now let's start a little further. When you install php through the Debian package system (stable for others I can't say how it is yet) be sure to install and suhosin mod to it. I had problems with a plu-frame php system and I made the cardinal decision instead of debugging the system and returning a report to the developer to lose the security patch and thus save my headaches.. In general, I can safely say that this was one of the stupidest decisions I have ever made. First I remove the module of php5-suhosin restart the web server and opa beam – the patch is still loaded. After a very short study I find out, that the package was compiled with a patch directly in the code, which means that there is no shutdown or removal unless the code is recompiled again without a patch. I decide to download it and recompile to a deb package. That said, I'm doing my apt-get source php5, I'm pulling the current source code, unpacked and so on. Here's my perfect idea to download the source of the package to remove the patch and recompile it to a debian package plus one or two small compilation optimizations. Said done – I removed the unnecessary patch from debian/patches/suhosin.patch removed it not to play and in debian/patches/series. So far, everything is clear and without problems. Then run to compile the package with debuild and as I expected, my compilation crashed due to missing headers. Of course, there will be such shortcomings – I'm still with debian netinstall. I quickly correct my stupidity and re-compile, at one point it just dies again, that with a strange error in Zend / zend_stream.h or .c I don't remember exactly (if it bothers me, I can later check exactly which file and on which line it exploded). After some bewilderment, what is happening and why the ajeba is thundering in the Zend core – where it should not explode for any reason and a slightly longer study I find that this problem is relatively rare and there are not many signals for it. I suspect that one of the patches in the source is wrong but now I don't have the nerve to check it. Hmmmmm weird super weird. I almost decided to compile pure php but I decided to try the mirrors of dotdeb let's see what happens there. There, the compilation died due to some strange dependencies, but it overlooked the problems in the main part. Which is understandable, they didn't have them 30-40 patches that were in the stable package. After several long and unsuccessful attempts, I got tired and downloaded the vanilla package and compiled it with almost debian options with the idea to rewrite my current installation and by installing new packages from the feeder to be able to behave on a package installed from the repository. (probably another not very reasonable decision). As I expected without all the patches the installation went smoothly. This is the output of my config.nice file:

#! /bin/sh
#
# Created by configure

CFLAGS='-g -O2 -fPIC -Wall -fsigned-char -fno-strict-aliasing   -gstabs' \
CXXFLAGS='-g -O2' \
'./configure' \
'--with-apxs2=/usr/bin/apxs2' \
'--prefix=/usr/local/php5' \
'--disable-cgi' \
'--with-config-file-path=/etc/php5/apache2' \
'--with-config-file-scan-dir=/etc/php5/apache2/conf.d' \
'--build=x86_64-linux-gnu' \
'--host=x86_64-linux-gnu' \
'--sysconfdir=/etc' \
'--localstatedir=/var' \
'--mandir=/usr/share/man' \
'--disable-debug' \
'--with-regex=php' \
'--disable-rpath' \
'--disable-static' \
'--with-pic' \
'--with-layout=GNU' \
'--with-pear=/usr/share/php' \
'--enable-calendar' \
'--enable-fileinfo' \
'--enable-hash' \
'--enable-json' \
'--enable-sysvsem' \
'--enable-sysvshm' \
'--enable-sysvmsg' \
'--enable-bcmath' \
'--with-bz2' \
'--enable-ctype' \
'--without-gdbm' \
'--with-iconv' \
'--enable-exif' \
'--enable-ftp' \
'--enable-dbase' \
'--with-gettext' \
'--enable-mbstring' \
'--with-onig=/usr' \
'--with-pcre-regex' \
'--with-mysql=shared,mysqlnd' \
'--with-mysql-sock=/var/run/mysqld/mysqld.sock' \
'--with-mysqli=shared,mysqlnd' \
'--enable-pdo=shared' \
'--with-pdo-mysql=shared,mysqlnd' \
'--with-pdo-odbc=shared,unixODBC,/usr' \
'--with-pdo-pgsql=shared,/usr/bin/pg_config' \
'--with-pdo-sqlite=shared,/usr' \
'--with-pdo-dblib=shared,/usr' \
'--enable-phar' \
'--enable-shmop' \
'--enable-sockets' \
'--enable-dom' \
'--enable-wddx' \
'--enable-tokenizer' \
'--with-zlib' \
'--with-kerberos=/usr' \
'--with-openssl=/usr' \
'--enable-soap' \
'--enable-zip' \
'--with-mhash=yes' \
'--with-exec-dir=/usr/lib/php5/libexec' \
'--with-system-tzdata' \
'--without-mm' \
'--with-readline=/usr' \
'--without-sybase-ct' \
'--without-sqlite' \
'--without-sqlite3' \
'--without-mssql' \
'--enable-pcntl' \
'--enable-inline-optimization' \
"[email protected]"

This is a configuration close to that of the dotdeb compilation. As a basic and most important is the prefix option where the files with the php libraries will be located. Adjust it as well as other times according to your system so that the compilation with change of ways is not felt.

Enhanced by Zemanta

Leave a Reply

Your email address will not be published. Required fields are marked *

Anti SPAM *