Security concerns

Security concerns

by Penny Magas -
Number of replies: 1
I'm on a 1and1 server and with the help of reading the forum entries along with help from all of you directly, I got my Moodle installation up and running. But now I think I need to tighten up the security. I received this message on my Notifications page:
Enabling the PHP setting display_errors is not recommended on production sites because some error messages may reveal sensitive information about your server.
I checked the Server - Debugging section of my settings. Debug messages was already set to None. I turned off Display Debug Messages then. But no change in teh message.

I checked my php.ini and config.php files. My php.ini file already had:
error_reporting = (E_ALL & ~E_NOTICE & ~E_WARNING);
I left the above and added the following (based on another entry I found on the forum.)
display_errors = off;

I do have an .htaccess file in the moodledata directory containing the following:
deny from all
AllowOverride None

I think I'm at the 'knowing enough to be dangerous' state, though. Can anyone head me in the right direction, please? Thank you much for all of your help!

Regards,
Penny
PS - Since I have security concerns, I want to leave the site off the entry for now. If anyone wants to help and has time to look, I'll be happy to give you the info offline.
Average of ratings: -
In reply to Penny Magas

Re: Security concerns

by Richard Enison -
PM,

  1. Adding the

    display_errors = off;

    line to the php.ini file is exactly what that msg. on your Notifications page was about. So it should be okay now, provided the php.ini file you edited is effectively active. Because you are on a commercial web host, you don't have access (certainly not write access) to the real php.ini file. That file governs the PHP settings for all of 1and1's clients, and only 1and1 has access to it. The same applies to the Apache configuration file, httpd.conf. That's why Apache made provision for .htaccess files, that clients of web hosts can put in directories of their own web sites to override the default settings of the web host for those directories (and their subdirectories) only. More about that in the next paragraph. Some hosts have made provision for clients to create custom php.ini files, that you can use to override the default PHP settings as .htaccess is used for Apache settings (and some PHP settings as well). According to http://faq.1and1.com/scripting_languages_supported/php/14.html, you can use custom php.ini files, but you need one in every directory that has .php files in it (a PHP script that will copy your php.ini file to all your Moodle directories is at http://tips-scripts.com/php_ini_copy). But it seems to imply that under certain circumstances, you need to use .htaccess instead. If so, you should be able to set display_errors there, but since it is a Boolean (on/off) type setting, use php_flag instead of php_value (the examples shown on the 1and1 FAQ page linked to above use php_value). You might want to ask tech support whether you should use a custom php.ini file or .htaccess.
  2. The .htaccess file in your data directory that you describe was created by Moodle. It does that if it finds that there isn't one there already. Its purpose is to make sure your data directory and its subdirectories are not accessible to hackers with web browsers, just in case your data directory is located within the web document root. It would be a major security problem if it was. It should not be necessary for you to edit that .htaccess file. See Installing Moodle#Creating_the_data_directory and Tracker issue MDL-16957.
RLE
Average of ratings: -