Re: security considerations [Beginner's Corner]

1

security considerations

2010/3/17 3:22
shoutout
Just popping in
Posts: 1
Since: 2010/3/17

Hi All
what should the folders be named.

For security considerations, you are strongly advised to move the two directories below out of document root and change the folder names:

xoops_lib
xoops_data

2

Re: security considerations

2010/3/17 8:37
ghia
Community Support Member
Posts: 4953
Since: 2008/7/3 1

Anything, for example: x_xoops_lib and x_xoops_data
Replace the first x by a 4 to 8 character result of a random password generator.
Don't forget to adapt the definitions in mainfile.php along!

3

Re: security considerations

2010/3/25 17:13
Peekay
XOOPS is my life!
Posts: 2335
Since: 2004/11/20

Quote:

I am having difficulty moving the folders out of the root directory...

You may not be able to.

Even if your control panel lets you create the folders, the paths may need to be added to an Apache list called 'Open basedir' which controls access to files outside the web root.

Unless you run the server or have a VPS, you may need to talk to your host to get the trust-path added to the list.

If you can't move the folders, just leave them where they are, rename them and ensure the permissions are correct.

4

Re: security considerations

2010/3/25 18:40
ghia
Community Support Member
Posts: 4953
Since: 2008/7/3 1

Some hosters may have designed a special directory for placing them in, called something like private, data, ..., etc.
Check your hosters documentation.

If there is no possibility to move them outside the root, rename and have also a .htaccess file to deny direct access.

5

Re: security considerations

2010/3/27 1:43
luthermartin
Just popping in
Posts: 26
Since: 2010/3/17

Thanks to all of you for providing this information. Tonight, I will try the path change recommendations with my Host.

If that does not work, I understand how to implement the workaround. In fact, that is what I have done, but I need to put the .htaccess file in the mix.

6

Re: security considerations

2010/3/28 23:03
Peekay
XOOPS is my life!
Posts: 2335
Since: 2004/11/20

My VPS domains have a 'private' folder but it is not suitable for trust-path. I still have to edit open_basedir using shell.

Having these folders outside the web root is undoubtably a good idea, but I suspect a lot of people on shared hosting will not be able to do this.

I think the 'security consideration' notice needs re-wording, otherwise people may simply abandon XOOPS when they realise that they cannot re-locate these folders as recommended.

7

Re: security considerations

2010/3/29 0:59
Mamba
Moderator
Posts: 11380
Since: 2004/4/23

Quote:

I think the 'security consideration' notice needs re-wording, otherwise people may simply abandon XOOPS when they realise that they cannot re-locate these folders as recommended.

How would you recommend to reword it ?

BTW - maybe we need to provide a list of Host companies that enable users to have a "trusted" directory outside of the Document Root.

8

Re: security considerations

2010/3/29 1:29
Peekay
XOOPS is my life!
Posts: 2335
Since: 2004/11/20

Quote:

How would you recommend to reword it ?

I dunno.

It just gives the impression that if you can't move the folders then you're gonna get hacked - which really isn't the case, provided (as Ghia says) you take sensible precautions.

Maybe it should say... to be safe do this... and if you CAN... do this.

9

Re: security considerations

2010/3/29 15:40
kerkyra
Just can't stay away
Posts: 553
Since: 2005/2/14

i agree.

Perhaps this warning should be visible in the protector's security advisory page.???

It's not very nice for the clients to see this redletter warning in the admin panel.

10

Re: security considerations

2010/3/29 21:13
Burning
Theme Designer
Posts: 1163
Since: 2006/8/22

hi'

Quote:

BTW - maybe we need to provide a list of Host companies that enable users to have a "trusted" directory outside of the Document Root.

... all paid hosting I tested offered a folder outside web :
• phpnet
• ovh
• celeonet
• infomaniak
• ...

... for less than $ 2 per month.
Don't know for VDS domain

my two cents

Stats
Goal:	$100.00
Due Date:	Sep 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

security considerations

Re: security considerations

Re: security considerations

Re: security considerations

Re: security considerations

Re: security considerations

Re: security considerations

Re: security considerations

Re: security considerations

Re: security considerations

Login

Search

Recent Posts

Re: sbadmin5 - Bootstrap 5 Theme

Re: sbadmin5 - Bootstrap 5 Theme

sbadmin5 - Bootstrap 5 Theme

Re: XoopsFaq for 2.5.10

XoopsFaq for 2.5.10

Re: activate block by default

Re: wgFilemanager released for testing and contribution

Re: wgFilemanager released for testing and contribution

Re: activate block by default

activate block by default

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}