I am trying to get a few Content Management Systems up and running.
But I have security concerns with respect to them
1) please see following link
http://www.dokeos.com/doc/installation_guide.html section 2 says
The following directories need to be readable, writeable and executable for
everyone:
- dokeos/main/inc/conf/
- dokeos/main/upload/users/
- dokeos/main/default_course_document/
- dokeos/archive/
- dokeos/courses/
- dokeos/home/
I am not very happy with this idea of having directories to be
readable,writeable and executable for every one.
2) http://doc.claroline.net/en/index.php/Install_general_information
the section
Rights on folders says
" If you don't want to set write access on the whole folders, which is
recommended for security reasons, give to the web server user write access on
these folders : "
Is this a recommended practice.?
3) Also another LMS (Learning Management System) while installing asked to give
some folders writeable and executable for every one
here is a link
http://atutor.ca/atutor/docs/installation.php
While installing it I got a message
“The directory you specify must be created if it does not already exist
and be writeable by the webserver. On
Unix machines issue the command chmod
a+rwx content, additionally the path
may not contain any symbolic links.
chmod a+rwx /var/www/atutor/content”
4) Another LMS docebolms asked to give write permissions on
files/doceboCore/photo
files/common/users
files/doceboLms/course
files/doceboLms/forum
files/doceboLms/item
files/doceboLms/message
files/doceboLms/project
files/doceboLms/scorm
files/doceboLms/test
I checked its documentation
http://www.docebo.org/doceboCms/index.php?mn=docs&op=docsĪ=5_4&folder=7
but was not that helpful.
I am not at all convinced by the idea of giving permissions to read,write and
execute as these Learning Management Systems say.
Let me know what you people have to say?
What is the best practise in such situations?
Answer
You're right to be concerned, and too many application vendors resort to telling you you need to grant full permissions to every user in order to avoid problems. They do this to minimize support calls, rather than to maximize security.
It does make sense that the web server account would need write access to certain directories to store uploads or generated files. And execute access on directories is required in Unix in order for the contents of the directory to be enumerated by a user, so that will also be necessary.
Ultimately, what you want is for the user account that is running the web server process (most likely www-data
if you are using a packaged web server on Ubuntu) to own the folders in question, and then the standard permissions of 755 (rwxr-xr-x) are sufficient, or if you are on a shared system with other untrusted users, you'd want 700 (rwx------).
So, in your first example, assuming those directories already exist, you would need to do this:
$ sudo chown -R www-data:www-data dokeos/main/inc/conf/ dokeos/main/upload/users/ dokeos/main/default_course_document/ dokeos/archive/ dokeos/courses/ dokeos/home/
$ sudo chmod 755 dokeos/main/inc/conf/ dokeos/main/upload/users/ dokeos/main/default_course_document/ dokeos/archive/ dokeos/courses/ dokeos/home/
Again, if you are on a shared system, you may wish to replace "755" with "700" on the second line. If you know that www-data
is not the user running your web server, replace that item with the correct value. You can run the same two commands on the directories for the second system as well. In both cases, write access is probably necessary, but only for the single user running the web server, not for everyone.
Good luck.
No comments:
Post a Comment