no Suhosin

Could someone be so kind as to suggest a distro that DOES NOT include Suhosin (PHP 5.3)? I know it is included with Ubuntu 10.x and believe it to be included with Ubuntu 9.x.

This add-on, patch, etc is causing problems with flash related applications and is a royal pain to remove. My attempts to remove it have not yet been successful and am considering moving to a different distribution.

Thank you for your thoughts and comments.

6 Replies

I'm pretty sure the red hat derivatives (centos/fedora) don't use suhosin by default. Debian derivatives do. Not sure about arch/gentoo/slackware

What problems are you having with suhosin, if memory serves the debian php package only contains the patch which doesn't do much in the way of restricting things.

@obs Thank you for the fast reply.

I guess this leads me to one other question.

I have used Fedora in the past but am not familiar with CentOS. Could anyone comment as to substantial differences between them in respect to server configurations?

I am looking at a LAMP type configuration that is secure.

Apache2, MySQL and PHP 5.x (preferably 5.3).

Main focus is to host multiple websites that I have created via VirtualHosts options.

Thank you.

centos = old and "stable" however it's versions of PHP are so old they're pretty useless (php 5.1) (roll on centos 6!)

fedora = new and "unstable" fedora has a short life cycle (see http://fedoraproject.org/wiki/LifeCycle … _.28EOL.29">http://fedoraproject.org/wiki/LifeCycle#EndofLife_.28EOL.29)

Personally I wouldn't use either of them in a server system, if I had to use one I'd chose centos and get updated rpms from a 3rd party repo (see http://wiki.centos.org/AdditionalResources/Repositories), fedora's life cycle is too short IMHO to use as a server.

If I were you I'd try and resolve my issues with suhosin and stick with ubuntu/debian.

Alternatively you could try one of the other supported distros I don't know much about them but googling them will provide info on life cycle, php details etc, and someone else that uses them might chirp up here.

I don't know what Ubuntu is using and it may depend on your application, but the Suhosin patch that Debian uses doesn't cause any problems for a few flash based apps on my sites. One is a flash based uploader, the other is a slideshow.

I know that the full-on Suhosin binary does cause issues with a lot more than just flash based apps though. It's definitively a trade off of "let's make your server 'secure' but you can't do a whole lot of anything, have fun" type of "enhancement"

I've CentOS with PHP 5.3, no Suhosin, no problems. On the CentOS website it highlights "php53 is available as a php replacement", I assume because there are no known issues.

You can try to enable suhosin simulation mode: http://www.hardened-php.net/suhosin/con … simulation">http://www.hardened-php.net/suhosin/configuration.html#suhosin.simulation

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct