Welcome, Guest
Username: Password: Remember me

TOPIC: IS comfort update safe

IS comfort update safe 3 years 11 months ago #50093

  • lovepade
  • lovepade's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 93
  • Karma: 0
Hi there

Just a quick-question: I just made good use of the comfort (auto) update functionality today. Easy and quick. However - I needed to make a whole bunch of files writeable (did this with group=www-data & chmod g+w).

Now I am just wondering if not having all theese files writeable could be / is a security risk?

Sincerely

Andreas
The administrator has disabled public write access.

Re:IS comfort update safe 3 years 11 months ago #50147

  • lovepade
  • lovepade's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 93
  • Karma: 0
Just to expand a bit on my paranoia - giving write access seems to be not-best-practice, eg. here:
For example, on many systems the Apache process runs as a user called "www-data". This user should be able to read all of the files in your web root directory either by group permissions or by "other" permissions. It should not have write permissions to any of the files in your web root directory. If you have web applications that require to write data to certain files (like config files or log files) then only set write permissions on that file or directory.
Be careful how you select the owner and group membership. Some setups set the ownership and group ownership to root:root and allow read access for "other". This might seem like a good idea but can disclose sensitive information if you run a system with multiple users. Imagine the case where you have a config.inc.php file containing a username and password. This file, when called through a browser, will be processed by your webserver. None of the sensitive information will (should) be "viewable" through a browser. A local user on the other hand can view the content of the file, without having the file processed by PHP, because it's accessible by everyone. An alternative setup with root:www-data and no access to "other" might be a more suitable setup for the latter case.
from: cert.belnet.be/content/web-server-security-best-practices#2.
Last Edit: 3 years 11 months ago by lovepade.
The administrator has disabled public write access.

Re:IS comfort update safe 3 years 11 months ago #50161

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 6317
  • Thank you received: 810
  • Karma: 242
It depends of your server config.

Not really a LS problem.

I like to use suphp+acl for security, but suexec/fcgi are too a good idea.

Difficult to answer to your question .
The administrator has disabled public write access.

Re:IS comfort update safe 3 years 11 months ago #50189

  • Mazi
  • Mazi's Avatar
  • OFFLINE
  • LimeSurvey Team
  • Posts: 5325
  • Thank you received: 296
  • Karma: 249
If you temporary disable write protection that should be no big deal. You can change permissions after having updated.

Some fodler need to be writeable to change file content/upload content. There is not much you can do about it.

Best regards/Beste Grüße,
Dr. Marcel Minke
(Limesurvey Head of Support)
Need Help? We offer professional Limesurvey support
Contact: marcel.minke(at)limesurvey.org'"
The administrator has disabled public write access.

Re:IS comfort update safe 3 years 11 months ago #50350

  • lovepade
  • lovepade's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 93
  • Karma: 0
Ok

It seems to be just as complicated as I thought. Suggestion: maybe write a small note about how the comfort update, in some environments _could_ cause security problems.

Cheers
The administrator has disabled public write access.

Re:IS comfort update safe 3 years 11 months ago #50351

  • Mazi
  • Mazi's Avatar
  • OFFLINE
  • LimeSurvey Team
  • Posts: 5325
  • Thank you received: 296
  • Karma: 249
If you are missing some information in the manual feel free to improve it. Our manual is a wiki, everyone can edit it and you can't do much wrong.
So if you miss anything in the manual and you found out how to do it please add this information. Thanks!

Link: docs.limesurvey.org/tiki-index.php?page=Using+ComfortUpdate

Best regards/Beste Grüße,
Dr. Marcel Minke
(Limesurvey Head of Support)
Need Help? We offer professional Limesurvey support
Contact: marcel.minke(at)limesurvey.org'"
The administrator has disabled public write access.

Re:IS comfort update safe 3 years 11 months ago #50353

  • lovepade
  • lovepade's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 93
  • Karma: 0
thank you - i feel like an idiot. My user name for this board, og for ideas doesn't work at the wiki. And I can't seem to find a "create user" link....

(embarresed)
The administrator has disabled public write access.

Re:IS comfort update safe 3 years 11 months ago #50364

  • Mazi
  • Mazi's Avatar
  • OFFLINE
  • LimeSurvey Team
  • Posts: 5325
  • Thank you received: 296
  • Karma: 249
We synchronized forum, wiki/manual and bugtracker usernames and passwords. Please set a new password by clicking your username in the forum and chosing edit -> update your profile -> contact info. This way everything will get synchronized and you should be able to log in.

Best regards/Beste Grüße,
Dr. Marcel Minke
(Limesurvey Head of Support)
Need Help? We offer professional Limesurvey support
Contact: marcel.minke(at)limesurvey.org'"
The administrator has disabled public write access.

Re:IS comfort update safe 3 years 11 months ago #50366

  • lovepade
  • lovepade's Avatar
  • OFFLINE
  • Expert Lime
  • Posts: 93
  • Karma: 0
That explains it - thx. I still get an "invalid username" - but I suspect the machine need some alone time to ponder wether to accept the update.

will try again tomorrow
The administrator has disabled public write access.

Re:IS comfort update safe 3 years 11 months ago #50389

  • Mazi
  • Mazi's Avatar
  • OFFLINE
  • LimeSurvey Team
  • Posts: 5325
  • Thank you received: 296
  • Karma: 249
If you are still having problems please contact user c_schmitz at our IRC:
www.limesurvey.org/en/support/live-chat

Best regards/Beste Grüße,
Dr. Marcel Minke
(Limesurvey Head of Support)
Need Help? We offer professional Limesurvey support
Contact: marcel.minke(at)limesurvey.org'"
The administrator has disabled public write access.
Moderators: ITEd
Time to create page: 0.129 seconds
Donation Image