Menu
▾
▴
Re: [Phprojekt-devel] Private folder on P6
|
From: Gustavo S. <gus...@gm...> - 2010-04-28 17:29:44
|
Hi all, David's suggestion implemented. http://github.com/gsolt/PHProjekt/commit/93ee227fd5bc8b29a396da120646504ece27b963 Greetings. On 27/04/2010 01:50 p.m., David Soria Parra wrote: > Hi Gustavo > > Am 27.04.10 03:48, schrieb Gustavo Solt: >> Hi all, >> since many people complain about the "DocumentRoot" limitation in the >> installation of PHProjekt 6, for a better solution about the security, >> there is an idea about to make 2 improves: > >> 1. Make the configuration.ini file, a php file, so nobody can read it, >> only the web server can execute it or read it. > >> 2. Make a private folder for save there the logs, the temporally and the >> uploaded files. (All the files written by the API/User). > >> --- About 1. --- >> The best solution that i found, is to keep the configuration.ini file as >> format, add a <?php in the first line, rename it to configuration.php >> and change the comments from ; to #. >> There is a new Config parser, that just drop the first line, and take >> the file as ini. > >> Pros: >> 1. The format is read friendly, like all the ini files. >> Contra: >> 1. Since is a php file, the common editor should provide a correct >> interface for edit files, but since the ini structure is not PHP, maybe >> the user have ugly messages in the editor. >> 2. If you want to access directly to the file >> http://p6/configuration.php => you will get a parser error. Maybe is not >> a contra, but is ugly. > > Yes the solution might work, but still other files might be accessable, > things like README, tests, VERSION and so on. > >> --- About 2. --- >> Here i want to discuss some scenarios. >> First, the zip or the tarball, provide a folder phprojekt with all the >> files and folders in it. >> Currently the structure is: >> phprojekt/ >> application/ >> htdocs/ >> library/ >> logs/ >> tmp/ >> upload/ >> configuration.ini >> And the limitation say that a vhost must be set to the htdocs folder. > >> With the private folder, the idea is something like: > >> phprojekt/ >> application/ >> htdocs/ >> library/ >> configuration.ini >> private/ >> logs/ >> tmp/ >> upload/ > > I like the approach, but I think it gets difficult, as PHProjekt looks > different on disk depending on the way you set it up. In fact using the > private folder method we can separate htdocs and the rest, as the rest > doesn't need to be access from the outside and that's what we care about. > >> Contra: Even if the private folder have a random name set by the user, >> is accessible by web http://my.domain/private. >> For solve that, we provide a .htaccess with Deny from all, but the >> folder is still writable and public. >> The user can set the write rights for this folder to "only owner"?, yes, >> but ONLY in Linux, in Windows system, the folder is public and writable >> (only the admin of the system can set the rights there). > No write access cannot be by owner only, most webhosts user a group for > the webserver and different owners, in that case the webserver will not > be able to write to the directory. > > >> 2. Outside the public_html: > > we cannot do this, as this is particularly what people that just have a > usual web host, complain about. They just have webspace that is > accessable from the outside. > >> Pros: Is not accessible by Web. >> Contra: >> - The web user in general don't have access to write folders there, >> or for rights or for groups limitation. If the setup routine can't >> create the folder, the user/admin must do it. >> If there are many problem for the common users to create a vhost, you >> think that create a folder outside public is easy for them? >> - If the folder is created, must have the correct right access, since >> the API don't have right for change them, and again, the access system >> works only for Linux, in windows is ALL 777. Do you think that the user >> can do it? > > My suggestions is the following: > > We add .htaccess files to the phprojekt/ folder and to > phprojekt/htdocs. The .htaccess in phprojekt/ forbids > access. This is done by putting the following into the > .htaccess file: > > deny from all > > and in htdocs/.htaccess: > > allow from all > > This way we keep our setup the way it is, we just have > to remove the check for the vhost. Well not remove, we > should state a message that says: > > Please note that your webserver needs to support .htaccess > files to deny access to the configuration files. Running > PHProjekt 6 without using the provided .htaccess files > to deny access to certain files and folders, might not > be secure and is not recommended. > > This is still not a perfect solution as we do rely on > .htaccess (apache only) and that the webserver is configured > to allow access overwriting. So Apache might be configured > to use .htaccess but not to allow forbidding access using .htaccess. > > But I personally think 90% of the users have a setup that will > work with what I suggested, while it keeps our changes low and > the code base stable. > > David |
