Hacking and Security II

Hacking and Security II

by Robin Greaves -
Number of replies: 9
Hi,
I didn't know where in the old thread (at http://moodle.org/mod/forum/discuss.php?d=78150#p347922) to put this, even though it's rtelated somehow, so I've started again.

I got an error message from by my installation which read:

"Your site configuration might not be secure. Please make sure that your dataroot directory (/home/phoenx/public_html/develop/uploaddata) is not directly accessible via web."

I didn't seem to be able to access it from the web using: www.phoenixchange.com/develop/uploaddata

But, as there was an error message, I thought I'd better be sure, so I asked my host. They replied:-

"http://phoenixchange.com/develop/uploaddata would be the correct URL to visit. I see it throws a 500 error, but the directory has 755 permissions which are web-accessible. I changed the permissions of the directory to 444. If the warning is still present, please provide me with a URL where I can view the error if possible and I will further investigate."

But now accessing my site generates the following message at the top of the page (using Firefox anyway):

"Warning: fopen(/home/phoenx/public_html/develop/uploaddata/.htaccess) [function.fopen]: failed to open stream: Permission denied in /home/phoenx/public_html/develop/lib/setuplib.php on line 127
Warning: mkdir() [function.mkdir]: Permission denied in /home/phoenx/public_html/develop/lib/setuplib.php on line 138
ERROR: Could not find or create a directory (/home/phoenx/public_html/develop/uploaddata/temp)
ERROR: Could not find or create a directory (/home/phoenx/public_html/develop/uploaddata/cache)
ERROR: Could not find or create a directory (/home/phoenx/public_html/develop/uploaddata/sessions)"

Does anyone know what's happened? I've told my host what happened. I suppose they could just reset them to as they were, but that wouldn't address the original "problem".

Average of ratings: -
In reply to Robin Greaves

Re: Hacking and Security II

by Robin Greaves -
Ooops, my host seems to have screwed up (as I'm sure you who know about these things will have realised!). My host has since replied:

"I apologize, Robin. This should now be resolved. A directory cannot have less than 755 permissions otherwise it will prevent scripts on the server from accessing its contents. The way to remove web accessability from a directory is to create a .htaccess file with:
deny from all
inside.
This is already done fro uploaddata. However, I cannot find a 'moodle_data' directory. Please post where this location is and I will be happy to set this .htaccess there as well."

The site's running fine but if they're correct about the .htaccess file already being there why's my install still saying that there's a problem??

And can anybody help with where this moodle_data file/folder is????
Average of ratings: -
In reply to Robin Greaves

Re: Hacking and Security II

by Jan Dierckx -
moodle_data directory or dataroot is just a name that is used in documentation for the directory that Moodle uses to store files (like uploaded assignments, course files, etc... hence the security risk involved, you don't want students browsing to assignments uploaded by other students)

In your case this directory is the one you decided to call 'uploaddata' and that is a good name.

 /home/phoenx/public_html/develop/uploaddata

seems to be the complete path to this directory. It is inside the public_html directory. Everything inside this directory is meant to be accessible from the web.

You can indeed use .htaccess to prevent people accessing specific directories inside public_html. The easier solution would be to ask your host if you're allowed to have one directory outside the public_html directory, something like...

/home/phoenx/private/uploaddata



Average of ratings: -
In reply to Jan Dierckx

Re: Hacking and Security II

by Chris Collman -
Jan,
Thanks for tip, it worked great. Ironically found it via a google search using part of the warning message.

I was able to use Cpanel. Create the folder(s) and move all the files there from the public_html\moodle\uploaddata . I went to config.php and made the change.

Note: I had uploaded 1 image and placed it on the frontpage. Moodle could not find it. I uploaded the image again via the picture edit and Moodle was happy.
So a caution for users with lots of data and images uploaded. It would seem to me there is another place that needs to be tweaked for existing data.

Best Chris


Average of ratings: -
In reply to Robin Greaves

Re: Hacking and Security II

by Just H -
Hi Robin

Jan covered everything I believe other than the original "error":

"Your site configuration might not be secure. Please make sure that your dataroot directory (/home/phoenx/public_html/develop/uploaddata) is not directly accessible via web."

That's actually a warning rather than an error, basically just stating that your "uploaddata" directory isn't where it's recommended to be and asking you check that's it's not accessible from the web. Have seen a couple of posts asking the same thing so perhaps not as obvious a "warning" as it should be.

H

Average of ratings: -
In reply to Just H

Re: Hacking and Security II

by Robin Greaves -
Sounds like an error to me Harry! Seems Moodle will WORK with the data accessible via the web, but that it's a rather crazy way to set it up if you can avoid it. No? But I take your point . . .

Anyway . .. thanks for the advice both, I'll set up another directory outside of public.html and move the stuff there . . . oh err, a "last" thought . . . won't that confuse poor old Moodle??? It won't be able to find anything anymore, unless it's really very clever?? Which it may well be! Reassurance? Or am I doomed at this stage to play with this htaccess thingummygibbit?

(. . . for the record, I didn't decide to call this "moodle_data" thingummy anything, it's just how the software installed and named it's stuff. Maybe that is something that should be straightened out in the docs. Terminology is always tricky. In IT that seems especially so as it has a tendency to appropriate words from other termionologies and use them in rather wacky ways. If Moodle has it's own jargon that adds another layer of obfuscation for "non-members" to deal with, like my host. No wonder they couldn't find it! I'm of to make my apologies!)
Average of ratings: -
In reply to Robin Greaves

Re: Hacking and Security II

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Once you've moved your "moodle data" directory to wherever you want, just edit file config.php and adjust the path of the $CFG->dataroot variable to point to the new location. That should do it smile

Saludos. Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: Hacking and Security II

by Amy Riebli -

I am having a problem with this...could you tell me how to "adjust the path of the $CFG->dataroot variable to point to the new location." 

I would really appreciate the help! 

Average of ratings: -
In reply to Amy Riebli

Re: Hacking and Security II

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers

If your moodle data directory was at, say, /var/www/public_html/moodledata, and now is at, say, /var/lib/moodledata, then you should change the value of $CFG->dataroot from '/var/www/public_html/moodledata' to '/var/lib/moodledata', in your config.php file.

Saludos. Iñaki.

Average of ratings: -
In reply to Robin Greaves

Re: Hacking and Security II

by Aryan Nava -

Here is a step by step instruction how you can move your folder to secure location so that you don't get "Your site configuration might not be secure. Please make sure that your dataroot directory is not directly accessible via web".

http://virtualizesharepoint.com/2011/05/13/your-site-configuration-might-not-be-secure-please-make-sure-that-your-dataroot-directory-in-moodle/

Average of ratings: -