1
shoutout
security considerations
  • 2010/3/17 3:22

  • shoutout

  • Just popping in

  • Posts: 1

  • Since: 2010/3/17


Hi All
what should the folders be named.

For security considerations, you are strongly advised to move the two directories below out of document root and change the folder names:

xoops_lib
xoops_data


2
ghia
Re: security considerations
  • 2010/3/17 8:37

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Anything, for example: x_xoops_lib and x_xoops_data
Replace the first x by a 4 to 8 character result of a random password generator.
Don't forget to adapt the definitions in mainfile.php along!

3
Peekay
Re: security considerations
  • 2010/3/25 17:13

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Quote:
I am having difficulty moving the folders out of the root directory...


You may not be able to.

Even if your control panel lets you create the folders, the paths may need to be added to an Apache list called 'Open basedir' which controls access to files outside the web root.

Unless you run the server or have a VPS, you may need to talk to your host to get the trust-path added to the list.

If you can't move the folders, just leave them where they are, rename them and ensure the permissions are correct.

4
ghia
Re: security considerations
  • 2010/3/25 18:40

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Some hosters may have designed a special directory for placing them in, called something like private, data, ..., etc.
Check your hosters documentation.

If there is no possibility to move them outside the root, rename and have also a .htaccess file to deny direct access.

5
luthermartin
Re: security considerations

Thanks to all of you for providing this information. Tonight, I will try the path change recommendations with my Host.

If that does not work, I understand how to implement the workaround. In fact, that is what I have done, but I need to put the .htaccess file in the mix.

6
Peekay
Re: security considerations
  • 2010/3/28 23:03

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


My VPS domains have a 'private' folder but it is not suitable for trust-path. I still have to edit open_basedir using shell.

Having these folders outside the web root is undoubtably a good idea, but I suspect a lot of people on shared hosting will not be able to do this.

I think the 'security consideration' notice needs re-wording, otherwise people may simply abandon XOOPS when they realise that they cannot re-locate these folders as recommended.

7
Mamba
Re: security considerations
  • 2010/3/29 0:59

  • Mamba

  • Moderator

  • Posts: 11409

  • Since: 2004/4/23


Quote:
I think the 'security consideration' notice needs re-wording, otherwise people may simply abandon XOOPS when they realise that they cannot re-locate these folders as recommended.

How would you recommend to reword it ?

BTW - maybe we need to provide a list of Host companies that enable users to have a "trusted" directory outside of the Document Root.

8
Peekay
Re: security considerations
  • 2010/3/29 1:29

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Quote:
How would you recommend to reword it ?

I dunno. It just gives the impression that if you can't move the folders then you're gonna get hacked - which really isn't the case, provided (as Ghia says) you take sensible precautions.

Maybe it should say... to be safe do this... and if you CAN... do this.

9
kerkyra
Re: security considerations
  • 2010/3/29 15:40

  • kerkyra

  • Just can't stay away

  • Posts: 553

  • Since: 2005/2/14


i agree.

Perhaps this warning should be visible in the protector's security advisory page.???

It's not very nice for the clients to see this redletter warning in the admin panel.

10
Burning
Re: security considerations
  • 2010/3/29 21:13

  • Burning

  • Theme Designer

  • Posts: 1163

  • Since: 2006/8/22


hi'

Quote:
BTW - maybe we need to provide a list of Host companies that enable users to have a "trusted" directory outside of the Document Root.

... all paid hosting I tested offered a folder outside web :
• phpnet
• ovh
• celeonet
• infomaniak
• ...

... for less than $ 2 per month.
Don't know for VDS domain


my two cents

Login

Who's Online

393 user(s) are online (283 user(s) are browsing Support Forums)


Members: 0


Guests: 393


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits