If you want to install the Hardening-Patch on an operation system like
FreeBSD or Gentoo, then you can skip directly to the particular section, because the Hardening-Patch is already within your ports tree.
When you want to install PHP with the Hardening-Patch you have to first perform some preparation steps.
You should first grab a copy of the Hardened-PHP Project's Release Signaturekey and import it into your GNU Privacy Guard keychain. (For further information on the usage of gnupg please consult it’s manpage)
#> gpg --import < hardened-php-signature-key.asc gpg: /root/.gnupg/trustdb.gpg: trust-db erzeugt gpg: key 0A864AA1: public key "Hardened-PHP Signature Key" imported gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1 gpg: importiert: 1
Depending on the installation path you want to choose you should now grab a copy of PHP with the Hardening-Patch already applied, or a fresh PHP tarball and the latest version of the Hardening-Patch. Additionally you should get the digital signature (*.sig) files. You can grab all of this on our download page.
As a first precaution you can check the MD5 hashs of the downloaded files against those you find on the download page.
#> md5sum php-5.1.4.tar.bz2 66a806161d4a2d3b5153ebe4cd0f2e1c php-5.1.4.tar.bz2 #> md5sum hardening-patch-5.1.4-0.4.11.patch.gz c8a0e745687b3a238bafbeeaafd8efb7 hardening-patch-5.1.4-0.4.11.patch.gz
#> md5sum hardening-patch-5.1.4-0.4.11.tar.bz2 c445220fc227ae815aa94602428fc51c hardening-patch-5.1.4-0.4.11.tar.bz2
When the MD5 hash values are valid you can check the digital signatures like this.
#> gpg php-5.1.4.tar.bz2.sig gpg: Signature made Di 16 Mai 2006 23:39:04 CEST using DSA key ID 0A864AA1 gpg: Good signature from "Hardened-PHP Signature Key" #> gpg hardening-patch-5.1.4-0.4.11.patch.gz.sig gpg: Signature made Sa 13 Mai 2006 20:02:53 CEST using DSA key ID 0A864AA1 gpg: Good signature from "Hardened-PHP Signature Key"
#> gpg hardening-patch-5.1.4-0.4.11.tar.bz2.sig gpg: Signature made Sa 13 Mai 2006 20:03:02 CEST using DSA key ID 0A864AA1 gpg: Good signature from "Hardened-PHP Signature Key"
If you have downloaded the already prepatched tarball the preparation phase is finished after you have unpacked the tarball.
#> tar -xfj hardening-patch-5.1.4-0.4.11.tar.bz2
Otherwise you have to unpack the PHP tarball, gunzip the patchfile and then apply the patch.
#> tar -xfj php-5.1.4.tar.bz2 #> gunzip hardening-patch-5.1.4-0.4.11.patch.gz #> cd php-5.1.4 #> patch -p 1 -i ../hardening-patch-5.1.4-0.4.11.patch
After having prepared the PHP source tree the next step is not much different from the usual installation of PHP.
#> ./configure --with-whatever-you-want #> make #> make test #> make install
make test you can verify, that PHP still works and does not break anything.
If you are upgrading from a previous installation of PHP you have to recompile all installed PHP modules and extensions after you have installed the Hardening-Patch, because the Hardening-Patch is binary incompatible. If you previously used some binary only extensions you cannot use them anymore, unless it’s vendor provides a special package.
After having recompiled and installed everything, have a look at the bundled php.ini files for examples how to use the new configuration directives. For a documentation of the new directives consult the Configuration section.
#> USE=hardenedphp emerge php
After having installed PHP with the Hardening-Patch you can continue configuring it. Your php.ini file should already contain directives to configure the Hardening-Patch with examples. Additional information about the directives can be found in the Configuration section.