[Jase2]

Hi all,

I ran a diagnostics, and it says: Suhosin Module Loaded Yes.

Suhosin can limit the amount of data submitted and encrypt cookies causing problems with several aspects of vBulletin.

Anyone know how to disable this?

[snakes1100]

Unless you can modify php.ini you cant, unless your host allows php.ini over riding per host, ask your host.

[Jase2]

Definitely causing issues.

I'll try increasing:

* php_value suhosin.post.max_vars
* php_value suhosin.request.max_vars

[Opserty]

Search vBulletin.com I remember a post there a while back defining the settings required.

[Jase2]

http://www.vbulletin.com/forum/showt...82#post1329782

[Marco van Herwaarden]

Moved to Server Management.

[TECK]

Take off Suhosin, it is designed to slowdown your server.
Why do you need a hardened PHP version? Just define a good set of rules in Selinux.

[wolfstream]

Originally Posted by TECK

Take off Suhosin, it is designed to slowdown your server.
Why do you need a hardened PHP version? Just define a good set of rules in Selinux.

That's a load if I ever heard it.

php, by default has many flaws to it, such as allowing globals to be lax, allowing for poor coding. Obviously, something needs to be done there.

SElinux should be disabled, it's the linux version of "Cancel or allow", only more strict, more of a pain in the tail, and more problematic. If you want to spend hours learning and creating rulesets for selinux, then by all means, go for it. Others aren't going to bother.

There's a reason selinux is disabled by default with every major control panel install out there. That reason? It doesn't work, it's too restrictive, and it is just aweful.

Now, suhosin, on the other hand, I have never, EVER had an issue with when properly compiled into php. Don't use the module, use the patch. Compile php from the ground up, add in the suhosin patch, and any of the mailheader patches, and you'll be fine. Again, I've never, ever seen any problems with this setup, and I manage servers (and forums) that are pretty heavily used and modified.

[TECK]

I use Selinux on all my servers. Never had a problem, it is very easy to define solid security rules. You are right about the PHP flaws. However, those flaws appear ONLY when a programmer write BAD code. It is not PHP's language fault if the programmer knows nothing about coding. IMO, using Suhosin to prevent/correct an eventual mistake a coder can do is not a solution. Plus you know the patch is slowing down the code execution... a little but still does it.

There's a reason selinux is disabled by default with every major control panel install out there.
Any server admin I know will not touch with a 10 feet pole a control panel, like CPanel and other similar software. However, you are the server admin and you decide what is best for your box.

[khb1st]

although a little late to jump into this discussion I need to know from both of you

is either suhosin or selinux an absolute must on your server for security reasons

I have made my server installations using both, and I find suhosin to slow down the system tremendously, but I haven't tweaked the settings , yet, so that may change

security , these days , is of the utmost priority, and frankly, if it slows down up/downloads, that is no issue

I have done much reading and heard many opinions, but I would like a response (I feel they are both valuable) from each of you, asked kindly, and thanking in advance

please TECK and wolfstream

[Marco van Herwaarden]

A short answer: If you are only running vBulletin, then absolutly a No

Which security holes do you currently have that you want to stop by one of these?

[khb1st]

I am only concerned of stopping ANY potential holes

many people out there like to give opinions, and it seems a good portion believe suhosin is essential for possinle php problems (which I have none , so far)

the addition of suhosin (as I mentioned) has slowed down some processes, very obviously, and I just wanted to hear a few comments from people , who I feel have more knowledge about this

and thanks Marco for a swift and pointed reply