[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Phpgroupware-users] Help needed: Configuration quick reference cha
|
From: |
Izzy Blacklock |
|
Subject: |
Re: [Phpgroupware-users] Help needed: Configuration quick reference chart... |
|
Date: |
Sat, 05 Apr 2003 17:21:03 -0700 |
|
User-agent: |
KMail/1.4.3 |
On April 5, 2003 16:50, Chris Weiss wrote:
Thanks Chris, Yours was the document I linked to in my first post. Sorry for
not giving credit. As I said, this is the best source of info I've found to
date in reference to phpgw.
...Izzy
> I discuss this in some detail in the installation howto, here are some
> excerpts
>
> From http://free-source.com/files/phpgw-howto.html#2.3
>
> You have 2 options, all will assume you're still in the phpgroupware
> directory from doing the cvs update, the security issues of each will be
> addressed in section 3:
>
> 1. Least secure but easiest: Make your phpgroupware directory world
> writable $chmod a+w ../phpgroupware
> 2. Most secure but slightly error prone: Use the "view" or "download"
> option in header manager and upload or copy/paste the result to your
> server. If you choose this method take care there is no white space
> (spaces, tabs, blank lines) at all before the first "<?" and that your
> editor doesn't wrap any lines for you where it shouldn't have. You may then
> make the header.inc.php world writable, which is better than #1 but still
> has risks.
>
> Whichever you choose, I recommend not leaving this world writable, and only
> making it writable when you actually need to change some configuration,
> which is very rare once you have a working system.
>
> If you plan on using the phpwebhosting filemanager or any application that
> makes use of the vfs home/group directories (sorry, I don't have a list of
> other apps that do) you will need to prepare the "files" directory. By
> default, the files directory is in the phpgroupware root, but this would
> allow smart users to upload/create a php file and execute whatever they
> want, including reading your header config and then the database! Luckily,
> the default is also to disallow the ability to upload files in the first
> place since the files directory is not writable by the anonymous web user.
> We will be moving the files dir outside of the web root for securities
> sake. Since I'm installing under my home directory I've made ~/phpgwadmin/
> and I'm going to put it there and make it and all its contents world
> writable. You can put it wherever you want so long as every directory up to
> it is world readable: $mv files ~/phpgwadmin/
> $chmod -R a+w ~/phpgwadmin/files
>
> From http://free-source.com/files/phpgw-howto.html#3.1
>
> Myths and Truths
> - "the phpgroupware directory needs to be mode 777" Ack! no! this makes
> your whole tree world writable! all it takes is one malicious user to
> upload a file that edits the login files to record all logins and passwords
> for later abuse and your done for, start working on that resume.
> - "the phpgroupware directory needs to be owned by the same user apache
> runs under" Very false! this is in essence the same thing as mode 777!
> - "have the tree owned by apache's user and mode 700 is safer" well, not
> exactly. Having the header.inc.php owned by apache's user and mode 400 is
> about as safe as you can get since then other system users can't read your
> config, but now root need to maintain this file, which is just not ideal.
> - "having php pipe certain files like Excel and Word files causes problems,
> direct access is needed" At one time, yes, but that should all be fixed.
>
>
>
> _______________________________________________
> Phpgroupware-users mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/phpgroupware-users