Suhosin recommend to activate?

hibiskus

Active member
On landing page of admin panel you see a Server Environment check with lttle php-info.

I see that Suhosin is not active on my server, i read it is for security.
I guess it is recommended to turn that on over php settings?
 
So what is actually Suhosin does that many of you not interested to turn it on? Doesn't make sense Xenforo developer chose it as part of the server environment report.
 
So what is actually Suhosin does that many of you not interested to turn it on? Doesn't make sense Xenforo developer chose it as part of the server environment report.
Yeah i'm wondering about that too.
i am finding it difficult to ascertain a reliable answer since apparently some assert Suhosin is beneficial while others assert that it's potentially detrimental and yet still others assert anywhere in between.

Google results appear to show everything from Suhosin is the greatest thing since sliced bread—through to entirely unrelated info—to utter gibberish fake sites suggesting Suhosin causes "climate change" and probably killed Kennedy.
(*obviously semi-joking)

However the simple fact that XF includes the Suhosin on/off indicator in the ACP server environment report, this leads one to assume that XF likely intended for Suhosin to be used.
Yet, as some say, if Suhosin is potentially detrimental, why would XF include the Suhosin indicator if that were so?—especially without an overtly apparent caution or something.

Am i being unreasonable to suggest adding little info/help/example tabs next to everything within the ACP areas.
magicut_1689546265029.webp
*This is merely a hastily slapped together visual example.

*Regardless, i would seriously consider paying someone to develop an add-on capable of enabling this sort of thing throughout all areas of the ACP.
 
However the simple fact that XF includes the Suhosin on/off indicator in the ACP server environment report, this leads one to assume that XF likely intended for Suhosin to be used.
No. It's just there for informational purposes on the configuration of the server that XF is operating on. It's a good marker when diagnosing issues that sometimes trace their way back to things like suhoshin being enabled. Having that Yes/No flag on the front, is a quick way to ID a potential issue (especially when working inexperienced site owners). IMHO, it's detrimental and more trouble than it's worth.
 
No. It's just there for informational purposes on the configuration of the server that XF is operating on. It's a good marker when diagnosing issues that sometimes trace their way back to things like suhoshin being enabled. Having that Yes/No flag on the front, is a quick way to ID a potential issue (especially when working inexperienced site owners). IMHO, it's detrimental and more trouble than it's worth.
Thank you ENF, this is a fantastic example.
i've lazily modified the previous concept example accordingly.
IMG_20230717_154622.webp
Sure you'd know that anyone with a smartphone can subscribe to XF?

With a mere $60us transaction—💥viola!
Instant 😻ADMINISTRATOR🎉+ all the responsibilities-whether apparent or otherwise.

Most of that is automated, so obviously even a severely computarded backwater hillbilly like me can do it.

Out the front end is simple enough for anyone who is familiar with these chat forums,....but out the back things rapidly become increasingly unclear~

Now regarding the quoted post, i think it is very clear that i was not asking whether we should or not use Suhosin, nor why.

*Refer-post#2.
Ozzy pretty much already said don't touch it. So, i for one definitely ain't gonna be touchin it.😂

The intended point i was & am again making here is simply suggesting a potential solution concept which addresses the OP: "Suhosin recommend to activate?"

Plus, the suggested solution concept isn't restricted to only being integrated with every instance of XF,...

...perhaps we use a mock forum where people can explore front & back, freely able to browse information tabs explaining real functions.
Could use short educational style videos as well as written info &/or other visual diagrams.

Merely a suggestion though.
 
I guess it is recommended to turn that on over php settings?
Probably not unless you're happy to deal with some extra bugs out of the box.

Suhosin looks outdated and Suhosin-NG hasn't had a release for years, so https://github.com/jvoisin/snuffleupagus/releases looks like the active php hardening suite.
Yup, Suhosin is mostly dead nowadays, and the Suhosin-NG people have been contributing to Snuffleupagus, where most of this effort happens these days.

We do use the latter for both our main website and XenForo 2 without issues, and we contributed back a (working-for-us-with-our-set-of-add-ons) basic XF-specific config of it here.
But your mileage may vary, and you'll want to dig into your server logs to use it comfortably. There will be false-positives from time to time as well.

As for whether it's worth it, that depends on how paranoiac you are about security. We are, so we use it alongside modsecurity, but many people will say that it's fine not to, and they're not necessarily dumb/wrong.
 
Yup, Suhosin is mostly dead nowadays, and the Suhosin-NG people have been contributing to Snuffleupagus, where most of this effort happens these days.

We do use the latter for both our main website and XenForo 2 without issues, and we contributed back a (working-for-us-with-our-set-of-add-ons) basic XF-specific config of it here.
But your mileage may vary, and you'll want to dig into your server logs to use it comfortably. There will be false-positives from time to time as well.

As for whether it's worth it, that depends on how paranoiac you are about security. We are, so we use it alongside modsecurity, but many people will say that it's fine not to, and they're not necessarily dumb/wrong.

Very nice! Thank you for your contribution. Have you showed it to @Chris D ? They might be interested to know and see which hardening works and doesn't work on XF and use that information when refactoring certain core things!
 
I didn’t think of doing that to be honest.

Mainly because I am not sure I would be very excited about it if I were them, since it means extra support tickets etc. if it gets traction and used by less technical customers not recognizing that it breaks some feature 😅

(And by that I mean that your config very much would depend on your hosting/XF/addons combination, it’s not really plug-and-play)
 
Back
Top Bottom