Hardened PHP
Lorenzo Hernández García-Hierro
lorenzo at gnu.org
Fri Feb 25 08:00:26 CST 2005
El jue, 24-02-2005 a las 17:47 -0700, dataw0lf escribió:
> Has anyone on the development team spoken of including hardened-php,
> either applied to the php packages, or as a separate package?
> http://www.hardened-php.org
> dataw0lf
I've done some work with it in Hardened Debian, and all I can say, it's
that it's a partially broken solution.
If the developers mind on splitting up each "security feature" then It
could be a good approach, but letting PHP to mprotect() at it's own and
starting orgies of dirty memory handling and canaries all over the place
are not good solutions at all.
Also, these protections are handled by other approaches in both userland
(ie, SSP/ProPolice -> libssp) and kernel spaces (ie. PaX).
The other features are much something to be *merged* in the upstream
distribution, but it needs, AFAIK, to be as I said above, a
patch-per-feature, not a whole sale one.
BTW, latest release seems to have somewhat ABI breaking
(http://www.hardened-php.net/features.php).
I don't know if all the effort to get this done quickly is worth at all,
but as a first and completely personal though, I go to the "No." way.
Cheers,
--
Lorenzo Hernández García-Hierro <lorenzo at gnu.org>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
digitalmente
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050225/fa592ab8/attachment.pgp
More information about the ubuntu-devel
mailing list