I wanted to try out Hardened PHP (http://www.hardened-php.net/) so I spent some time adding a 'hardened' flavor to www/php5. It works pretty well for me (tested on sparc64 and i386, running it on sparc64 in production for about a week) but there are probably some glitches in terms of the packaging, which could be improved.
Hardened PHP itself seems fine, I haven't noticed any problems except for an issue where it appears to truncate session ids from 32 chars to 27 chars. This broke hastymail on our system. For a list of the kinds of attacks which are supposedly prevented by Hardened PHP, see this URL: http://www.hardened-php.net/hardening_patch.14.html I am not pushing too hard for inclusion of this patch in the main php5 port, but I thought I'd at least share it. If there is interest and people more familiar with the php5 port think its ok, maybe it can go in. But I don't want to spend much more time on this, I was just scratching an itch ;) Index: Makefile =================================================================== RCS file: /usr/repository/ports/www/php5/Makefile,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 Makefile --- Makefile 2 Oct 2004 11:32:35 -0000 1.1.1.1 +++ Makefile 23 Feb 2006 23:50:16 -0000 @@ -1,7 +1,9 @@ # $OpenBSD: Makefile,v 1.1.1.1 2004/10/02 11:32:35 robert Exp $ SUBDIR += core +SUBDIR += core,hardened SUBDIR += extensions +SUBDIR += extensions,hardened SUBDIR += extensions,no_x11 .include <bsd.port.subdir.mk> Index: Makefile.inc =================================================================== RCS file: /usr/repository/ports/www/php5/Makefile.inc,v retrieving revision 1.7 diff -u -r1.7 Makefile.inc --- Makefile.inc 29 Dec 2005 23:03:29 -0000 1.7 +++ Makefile.inc 24 Feb 2006 00:03:51 -0000 @@ -65,3 +65,21 @@ CHECKSUM_FILE= ${.CURDIR}/../distinfo PATCH_LIST= ${.CURDIR}/../patches/patch-* \ patch-* +FLAVORS+= hardened +FLAVOR?= + +.if ${FLAVOR:L:Mhardened} +HARDENED_V= 0.4.8 +HARDENED_PATCH= hardening-patch-${V}-${HARDENED_V}.patch +DISTFILES= php-${V}.tar.gz \ + ${HARDENED_PATCH}.gz:1 +PATCH_LIST+= ${.CURDIR}/../patches/hardened-* +MASTER_SITES1= http://www.hardened-php.net/ +# no packages allowed ? +# http://archives.neohapsis.com/archives/openbsd/2005-11/2545.html +PERMIT_PACKAGES_*=No + +pre-patch: + @cd ${WRKDIR} && \ + ${PATCH} -p0 -z .orig.bsd --quiet < ${WRKDIR}/${HARDENED_PATCH} +.endif Index: distinfo =================================================================== RCS file: /usr/repository/ports/www/php5/distinfo,v retrieving revision 1.7 diff -u -r1.7 distinfo --- distinfo 29 Dec 2005 23:03:29 -0000 1.7 +++ distinfo 23 Feb 2006 18:01:03 -0000 @@ -1,4 +1,8 @@ +MD5 (hardening-patch-5.0.5-0.4.8.patch.gz) = d699c64f70bb013e0a25329caad80129 MD5 (php-5.0.5.tar.gz) = ae36a2aa35cfaa58bdc5b9a525e6f451 +RMD160 (hardening-patch-5.0.5-0.4.8.patch.gz) = 0747fd2471e734dd2b24f84714277074622efb16 RMD160 (php-5.0.5.tar.gz) = f94cd33d13a298b5b5d2389a2d2b2079fe231fce +SHA1 (hardening-patch-5.0.5-0.4.8.patch.gz) = d7a3da2edd8c265aeb8405e1ca0403f59359e048 SHA1 (php-5.0.5.tar.gz) = 031ac2b1f56f4f6b20b17206a52627790b51f3bb +SIZE (hardening-patch-5.0.5-0.4.8.patch.gz) = 59288 SIZE (php-5.0.5.tar.gz) = 6082082 Index: extensions/Makefile =================================================================== RCS file: /usr/repository/ports/www/php5/extensions/Makefile,v retrieving revision 1.17 diff -u -r1.17 Makefile --- extensions/Makefile 29 Dec 2005 23:06:28 -0000 1.17 +++ extensions/Makefile 23 Feb 2006 23:50:26 -0000 @@ -14,7 +14,11 @@ WANTLIB= stdc++ m -RUN_DEPENDS= :php5-core-${V}:www/php5/core +.if ${FLAVOR:L:Mhardened} +RUN_DEPENDS= :php5-core-${V}-hardened:www/php5/core +.else +RUN_DEPENDS= :php5-core-${V}-!hardened:www/php5/core +.endif .if !defined(PACKAGING) MODULES= devel/gettext .endif @@ -320,6 +324,13 @@ .endif .endfor +.if defined(FULLPKGNAME${i}) && ${FLAVOR:L:Mhardened} +.for i in ${MULTI_PACKAGES} +TNAME:= ${FULLPKGNAME${i}} +FULLPKGNAME${i}:= ${TNAME}-hardened +.endfor +.endif + .if defined(PACKAGING) && !empty(SUBPACKAGE) MODULE_NAME= ${SUBPACKAGE:S/-//g} LIB_DEPENDS= ${${MODULE_NAME:U}_DEPENDS} @@ -345,6 +356,5 @@ ${INSTALL_DATA} ${WRKBUILD}/modules/${m}.so \ ${PREFIX}/${MODULES_SUBDIR}/${m}.so .endfor - .include <bsd.port.mk> Index: patches/hardened-patch-configure_in =================================================================== RCS file: patches/hardened-patch-configure_in diff -N patches/hardened-patch-configure_in --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/hardened-patch-configure_in 23 Feb 2006 19:58:27 -0000 @@ -0,0 +1,11 @@ +$OpenBSD: patch-configure_in,v 1.4 2005/12/29 23:07:19 sturm Exp $ +--- configure.in.orig Thu Feb 23 19:18:37 2006 ++++ configure.in Thu Feb 23 19:20:45 2006 +@@ -631,7 +629,6 @@ AC_FUNC_UTIME_NULL + AC_FUNC_ALLOCA + dnl PHP_AC_BROKEN_SPRINTF + dnl PHP_AC_BROKEN_SNPRINTF +-PHP_AC_BROKEN_REALPATH + PHP_DECLARED_TIMEZONE + PHP_TIME_R_TYPE + PHP_READDIR_R_TYPE