I am trying to get a few Content Management Systems up and running. But I have security concerns with respect to them
1) please see following link http://www.dokeos.com/doc/installation_guide.html section 2 says The following directories need to be readable, writeable and executable for everyone:
- dokeos/main/inc/conf/
- dokeos/main/upload/users/
- dokeos/main/default_course_document/
- dokeos/archive/
- dokeos/courses/
- dokeos/home/
I am not very happy with this idea of having directories to be readable,writeable and executable for every one.
2) http://doc.claroline.net/en/index.php/Install_general_information
the section Rights on folders says
" If you don't want to set write access on the whole folders, which is recommended for security reasons, give to the web server user write access on these folders : "
Is this a recommended practice.?
3) Also another LMS (Learning Management System) while installing asked to give some folders writeable and executable for every one here is a link http://atutor.ca/atutor/docs/installation.php While installing it I got a message
“The directory you specify must be created if it does not already exist
and be writeable by the webserver. On Unix machines issue the command chmod a+rwx content, additionally the path may not contain any symbolic links. chmod a+rwx /var/www/atutor/content”
4) Another LMS docebolms asked to give write permissions on
files/doceboCore/photo
files/common/users
files/doceboLms/course
files/doceboLms/forum
files/doceboLms/item
files/doceboLms/message
files/doceboLms/project
files/doceboLms/scorm
files/doceboLms/test
I checked its documentation http://www.docebo.org/doceboCms/index.php?mn=docs&op=docsπ=5_4&folder=7 but was not that helpful.
I am not at all convinced by the idea of giving permissions to read,write and execute as these Learning Management Systems say. Let me know what you people have to say? What is the best practise in such situations?
You're right to be concerned, and too many application vendors resort to telling you you need to grant full permissions to every user in order to avoid problems. They do this to minimize support calls, rather than to maximize security.
It does make sense that the web server account would need write access to certain directories to store uploads or generated files. And execute access on directories is required in Unix in order for the contents of the directory to be enumerated by a user, so that will also be necessary.
Ultimately, what you want is for the user account that is running the web server process (most likely
www-data
if you are using a packaged web server on Ubuntu) to own the folders in question, and then the standard permissions of 755 (rwxr-xr-x) are sufficient, or if you are on a shared system with other untrusted users, you'd want 700 (rwx------).So, in your first example, assuming those directories already exist, you would need to do this:
Again, if you are on a shared system, you may wish to replace "755" with "700" on the second line. If you know that
www-data
is not the user running your web server, replace that item with the correct value. You can run the same two commands on the directories for the second system as well. In both cases, write access is probably necessary, but only for the single user running the web server, not for everyone.Good luck.