Hi, I am new to Moodle and to Unix servers. My Moodle site is running on a cheap Unix-based hosted service.
I have just successfully installed Moodle 1.9.3 (I think, in any case 1.9+).
In going through the admin area, I see in Notifications:
"Your site configuration might not be secure. Please make sure that your dataroot directory (/.../www/moodledata) is not directly accessible via web."
Hmmm... Don't know what to do to secure the site.
The file permissions seem to be currently wide open, but I don't know if that means someone needs to be logged in to my web hosting service to do anything or not.
File permissions of directory: drwxrwxrwx
Owner of directory: You (me, I could also choose "webserver")
Any idea what I should do?
Thanks for any advice!
Dave
Dave,
The moodledata folder should be outside of the /www/ folder.
The permissions need to be wide open for Moodle to write to it when necessary. It will be inaccessible to everyone when it sits outside of the /www/ folder.
Jeff
The moodledata folder should be outside of the /www/ folder.
The permissions need to be wide open for Moodle to write to it when necessary. It will be inaccessible to everyone when it sits outside of the /www/ folder.
Jeff
DF (& JW),
More generally, it should be outside of the web document root folder (directory), which is not always called www. It is the folder that the main part of your URL (that is, the part up to the first single /; for example, in http://your.domain.com/moodle/lib/weblib.php, it is http://your.domain.com/) points to.
Sometimes this is not possible, as with a commercial web host that does not allow it. In that case, the web server should be configured so that files in the data folder are not served to web browsers.
For more details, see the link in KAW's post.
RLE
More generally, it should be outside of the web document root folder (directory), which is not always called www. It is the folder that the main part of your URL (that is, the part up to the first single /; for example, in http://your.domain.com/moodle/lib/weblib.php, it is http://your.domain.com/) points to.
Sometimes this is not possible, as with a commercial web host that does not allow it. In that case, the web server should be configured so that files in the data folder are not served to web browsers.
For more details, see the link in KAW's post.
RLE
On shared hosting sites or when working with someone else's install that has the folder in the www I just turned off indexing and it works fine.
I'm afraid that's not enough. Turning indexing off only makes it marginally more difficult to access the contents (so marginally that it only takes a couple of seconds to jump over the hurdle).
If you must have your moodle data directory inside the 'www' root, you must configure your web server to deny access to that folder. That's the only way to secure it from the web side. Nothing else will do it.
Then you need to adjust the permissions of the directory so other users on the same server can't access your moodle data directory.
Saludos. Iñaki.
Thanks. So if I wanted to move that folder what else should I change? 3 of the 5 schools I work with have it in the same directory as moodle. Also if you have more than one moodle on the same web host how would you accommodate all the folders in the root?
Maybe I missed something, apologies if I did, but you can host almost as many "roots" as you want from one host and if using a web host one thing I suggest is to use subdomains.
Of course you could also go as far as using something like the Netscape Enterprise Server or IIS and acl everything and do away with anonymous web users.... though that would I think be rather horrific.....
Security is relative and will always be relative, but deploying .htaccess throughout or removing files from root isr easonable, and .htaccess could always be managed via a little bot... plenty of examples abound
Of course you could also go as far as using something like the Netscape Enterprise Server or IIS and acl everything and do away with anonymous web users.... though that would I think be rather horrific.....
Security is relative and will always be relative, but deploying .htaccess throughout or removing files from root isr easonable, and .htaccess could always be managed via a little bot... plenty of examples abound
If you move the folder, you need to edit config.php to reflect the new directory path in the $CFG->moodledata config value.
If you really can't move it outside of your web root (and sometimes you can) then you need to configure your web server (Apache, IIS, whatever) to deny access to that directory from the web.
The way you do it is web-server specific, so you should check the web server documentation and your hosting provider documentation, or ask your web hosting provider to do it for you.
Saludos. Iñaki.
Indeed. Indexing, if I understand you to mean the kind of indexing that IIS does for example, does nothing to secure the contents of your directories (in fact indexing was used for some IIS exploits at one time ;=} ) Some people have argued that turning of directory browsing "works" because it obscures the contents of the directories, but obscured is not secured as someone I know is want to say!
On the other hand, one could argue that its not a big deal for someone to look in the data directory because there may be nothing there worth securing.... I suppose that is an argument, but ti reminds me of the logic that bails out major banks but sticks poor, ignorant, defaulting homeowners with the loss of their house......
On the other hand, one could argue that its not a big deal for someone to look in the data directory because there may be nothing there worth securing.... I suppose that is an argument, but ti reminds me of the logic that bails out major banks but sticks poor, ignorant, defaulting homeowners with the loss of their house......
On the other hand, one could argue that its not a big deal for someone to look in the data directory because there may be nothing there worth securing..
But there is something worth securing. And it's critical to secure it: the session data files (the files inside moodledata/sessions). If I can have a look at your session data files, I can login as any user that has a session opened at the time I look at the session files, without even needing to know the password. And that includes the admin user too.
So please, please, please. Protect your moodledata directory from external (web) and internal (same server) access.
Saludos. Iñaki.
I certainly agree that moodledata should be secured Iñaki!
Dave
You may want to take a look at this in the installation docs. The advice there is to use 770 for the permissions on the moodledata directory. You should also set the owner:group of the directory as your webserver user.
Hope this helps!
Ken
Thanks everyone. Sorry I did not see that info in the installation docs before I posted and thanks for the kind, patient and quick responses! Dave