Ubuntu

Need package for php5 without suhosin patch

Reported by jmccaskey on 2009-12-18
36
This bug affects 7 people
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Wishlist
Unassigned

Bug Description

Binary package hint: php5

First, I know bugs related to suhosin have been discussed before and understand that you can choose to use the module or not by installing php5-suhosin. However, there is currently no way to disable the core suhosin patch except to build your own PHP5 packages.

The Suhosin patch itself adds significant memory and cpu overhead to PHP and there should be a way to disable it without having to go through the headache of maintaining our own modules.

In our case we are serving the page http://store.steampowered.com/app/500/ as an example, with the default Ubuntu package with Suhosin we get peak memory usage during page generation of 9961472 bytes, and a total execution time of ~75ms. If we rebuild without the Suhosin patch and use a custom package we end up with peak memory usage of 7077888 bytes and a page generation time of roughly 50ms. These same type of results (ie, roughly 40% increased memory usage and 20-50% increased CPU usage) are easily repeatable across many machines and across many different page requests.

Since our code is well audited and secure, and since the memory canaries it provides only help detect memory corruption bugs in PHP itself and do not prevent them we see no reason we would ever wish to run with it enabled on our production servers.

Please provide packages for Ubuntu that don't force the inclusion of Suhosin!

Andreas Olsson (andol) on 2009-12-19
Changed in php5 (Ubuntu):
importance: Undecided → Wishlist
Chuck Short (zulcss) on 2010-01-12
Changed in php5 (Ubuntu):
status: New → Confirmed
Adam Conrad (adconrad) wrote :

A bit late to the party here, but have you tried disabling various suhosin features in php.ini? There's a fairly comprehensive list at:

http://www.hardened-php.net/suhosin/configuration.html

Turning off things like transparent session encryption could see a pretty drastic performance boost on sites that use automatic session tracking.

I heartily agree with the person who filed this bug report!

Please issue a PHP without the suhosin patch, for those of us for whom the patch creates more problems than it solves.

Baking the suhosin patch into the PHP distro has been very bad for those of us whose Web services have been disrupted by the spurious errors generated by this version of the suhosin patch. (The defect has been acknowledged by the author of the patch.)

By the way, dear Adam Conrad: Modifying php.ini has no effect on this problem; I've tried it. (I guess that the configuration is for the suhosin extension, not the patch.)

dgtlmoon (dgtlmoon) wrote :

@adconrad yes please don't assume that this fixes all problem, even by setting suhosin to simulate mode only (as per your documentation link) it still does not work with zend correctly, which makes it a real pain for any PHP developers to use ubuntu based systems as their weapon of choice.

jmccaskey (jmccaskey) wrote :

Yes, to follow up on dgltmoon's post, we always disabled the extension completely, and that's not the problem this bug is talking about. The problem is that a patch to the PHP core is always applied in the Ubuntu packages, and that always modifies behavior in ways that are both memory and cpu intensive no matter whether or not you turn off all possible suhoshin options including completely disabling (or not installing) the extension package.

This problem still exists with current Ubuntu releases (even without php-suhosin, the extension package, installed at all) and it's pretty surprising that it doesn't get addressed. There are tons of posts around the web about this problem and how to work around it, as well as numerous related bug posts. It seems like the Ubuntu PHP maintainers just aren't serious about providing an enterprise grade PHP setup on Ubuntu but instead only on targeting small users where perf is unimportant.

We'd still love a proper solution and continue to be forced to maintain our own packages because of this failure.

Arvydas (arvydas-brazenas) wrote :

This is kinda like a cosmic joke. Half of the sites does not work with suhosin patch, yet you force it into your php5 build.

To my mind there should be just plain raw php5, and if user wishes so, he can add himself suhosin or whatever he wants to.

Please make it raw.

Debian has no unfortunately dropped suhosin core patches from their php5 packages, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657698 .

Best solution IMHO would be to provide both, packages with the suhosin core patches and without.
Default should be _with_ suhosin core patches and without one could name the packages like php5-xxx-no-suhosin or so.

Perhaps Debian and Ubuntu can contribute each other a little bith here?

Cheers,
Chris.

Leo Plotkin (lplotkin) wrote :

This really needs to get addressed. Migrating to Ubuntu server just cost me half a day of debugging to find Suhosin patch is baked into the executable and is *NOT* being disabled through either .htaccess or php.ini methods. I understand it's a good idea to provide this additional security, but unfortunately the patch causes coredumps when processing large xml files in Zend and other happy fun errors that are simply not present in other Linux distributions.

Having to compile and maintain my own Suhosin-free packages is a solution, but not a good one.

It's a good idea, but is definitely *NOT* ready as a default.

snafu109 (snafu109) wrote :

As of 5.4.4-1ubuntu1 in quantal, Suhosin patch has been disabled. See http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.4.6-1ubuntu1.5/changelog.

Changed in php5 (Ubuntu):
status: Confirmed → Fix Released
tags: added: precise
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.