[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Phpgroupware-users] Help needed: Configuration quick reference cha
|
From: |
Chris Weiss |
|
Subject: |
Re: [Phpgroupware-users] Help needed: Configuration quick reference chart... |
|
Date: |
Sat, 05 Apr 2003 23:50:13 +0000 |
I discuss this in some detail in the installation howto, here are some excerpts
>From http://free-source.com/files/phpgw-howto.html#2.3
You have 2 options, all will assume you're still in the phpgroupware directory
from
doing the cvs update, the security issues of each will be addressed in section
3:
1. Least secure but easiest: Make your phpgroupware directory world writable
$chmod a+w ../phpgroupware
2. Most secure but slightly error prone: Use the "view" or "download" option
in
header manager and upload or copy/paste the result to your server. If you choose
this method take care there is no white space (spaces, tabs, blank lines) at all
before the first "<?" and that your editor doesn't wrap any lines for you where
it
shouldn't have. You may then make the header.inc.php world writable, which is
better
than #1 but still has risks.
Whichever you choose, I recommend not leaving this world writable, and only
making
it writable when you actually need to change some configuration, which is very
rare
once you have a working system.
If you plan on using the phpwebhosting filemanager or any application that
makes use
of the vfs home/group directories (sorry, I don't have a list of other apps
that do)
you will need to prepare the "files" directory. By default, the files directory
is
in the phpgroupware root, but this would allow smart users to upload/create a
php
file and execute whatever they want, including reading your header config and
then
the database! Luckily, the default is also to disallow the ability to upload
files
in the first place since the files directory is not writable by the anonymous
web
user. We will be moving the files dir outside of the web root for securities
sake.
Since I'm installing under my home directory I've made ~/phpgwadmin/ and I'm
going
to put it there and make it and all its contents world writable. You can put it
wherever you want so long as every directory up to it is world readable:
$mv files ~/phpgwadmin/
$chmod -R a+w ~/phpgwadmin/files
>From http://free-source.com/files/phpgw-howto.html#3.1
Myths and Truths
- "the phpgroupware directory needs to be mode 777" Ack! no! this makes your
whole
tree world writable! all it takes is one malicious user to upload a file that
edits
the login files to record all logins and passwords for later abuse and your done
for, start working on that resume.
- "the phpgroupware directory needs to be owned by the same user apache runs
under"
Very false! this is in essence the same thing as mode 777!
- "have the tree owned by apache's user and mode 700 is safer" well, not
exactly.
Having the header.inc.php owned by apache's user and mode 400 is about as safe
as
you can get since then other system users can't read your config, but now root
need
to maintain this file, which is just not ideal.
- "having php pipe certain files like Excel and Word files causes problems,
direct
access is needed" At one time, yes, but that should all be fixed.