Installation: "Secure the Moodle files".

Installation: "Secure the Moodle files".

by Roman Kornilov -
Number of replies: 8

Hello!

Would anyone be so kind to help me understand "Secure the Moodle files" section of "Installing Moodle" instruction?

First of all it says that it is "vital that the files are not writeable by the web server user" and suggests to make them (moodle core files) to be read-only for anyone except root user.

But then, literally few srtrings later, it says that "If you want to use the built-in add-on installer you need to make the directory writable by web server user". So it comes out that it is no so VITAL "that the files are not writeable by the web server user". Or did i miss something?

Question two: the same section suggests of using ACL's instead of simple UNIX file permissions. I know almost nothing about ACL's and hoping there is still a way to secure the Moodle files with good-old chown&chmod. Is it true?

 

Great thanks in advance!

Roman.

P.S. English is not my natural language, so i am sorry for all mistakes i made and will appreciate any corrections.

smile

Average of ratings: -
In reply to Roman Kornilov

Re: Installation: "Secure the Moodle files".

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

Once fully installed, your noodle files (the program files, not data) should be *read only* by the web server user. Typically, that means everybody except you (or the superuser). During *installation* the directory can be made writeable (temporarily) to enable the installer to create the config.php file. Once installation is complete it must be reset to read-only. So, typically, on Linux it might be...

sudo mkdir /var/www/moodle
...copy moodle program files to /var/www/moodle...
sudo chown 0777 /var/www/moodle
...install moodle...
sudo chown 0755 /var/www/moodle

/var/www/moodle is owned by root with 0755 permissions (read/write for 'root' and read-only) for everybody else.

If you server is not shared then ACLs don't matter much. However, it's the future and worth finding out about. 

I'll re-read the instructions and try to make this clearer. 

Average of ratings: Useful (1)
In reply to Roman Kornilov

Re: Installation: "Secure the Moodle files".

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
Hi Roman

Could you be specific on which wiki-page you are talking about? There are so many: http://docs.moodle.org/en/Category:Installation

In simple terms, the owner of the web-server ('www-data', 'apache', ...) need _read_ permission to the Moodle source ($moodle) and _write_ permission in Moodle data ($moodledata).

If you are careful, you can follow "Most secure/paranoid file permissions", the last section in docs.moodle.org/en/Security_recommendations, of even go for ACLs (if you know your system well).

I can remember, there was the idea of keeping a subdirectory under $moodle _writable_ for plug-ins. I don't know how far it has gone - I am not interested.

Because of these conflicting wiki-pages, I keep my instructions separately:http://www.syndrega.ch/?p=38. It is aimed for Debian-alikes, but with an understanding of your system, can be adapted to most of the Unixes. Your feedback is welcome!
Average of ratings: Useful (1)
In reply to Roman Kornilov

Re: Installation: "Secure the Moodle files".

by Ken Task -
Picture of Particularly helpful Moodlers

While both gentlemen are correct, one might run into permissions issues when using the Moodle UI as Admin level and either upgrading an add-on/plugin or installing a non-core add-on/plugin.   So if, in the future, you use the Moodle UI as Admin level to install/update, might keep in mind that OP might need to change permissions.

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: Installation: "Secure the Moodle files".

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
Ken

You wrote:
> one might run into permissions issues when using the Moodle UI as Admin level and either upgrading an add-on/plugin or installing a non-core add-on/plugin.

Could you be more specific on this? I mean, could you say in which sub-directories the web-server needs write permissions during the tasks you've mentioned?
Average of ratings: -
In reply to Visvanath Ratnaweera

Re: Installation: "Secure the Moodle files".

by Ken Task -
Picture of Particularly helpful Moodlers

The few times that happened, unfortunately, was under a time constraint to get multiple sites (7 over holidays) updated to the hilt.   Didn't really have time to do specific research/investigation.   Notice said the plugin could not be updated and to check permissions so did the easiest/quickest 'fix'.   Will tinker and report what I find.  Think I know where you are going with this, however ... change permissions on those only - which would be good advice.

'spriit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: Installation: "Secure the Moodle files".

by Ken Task -
Picture of Particularly helpful Moodlers

Replying to own post (sick man!) to keep info 'together' ...

Just had to update plugins on a server ... findings:

Apparently, when one has plugins to upgrade, Moodle uses the data directory/mdeploy/ directory.

In the above directory one can see an archive, auth, and var directories … as well as a mdeploy.log file.

In the archive directory, directories named thusly:

drwxr-sr-x. 18 apache apache 4096 Sep  3 14:23 game_1378236220.0
drwxr-sr-x. 18 apache apache 4096 Sep 30 17:32 game_1380580322.0

Permissions, BTW, not set manually.

Those directories consist of the unzipped mods/blocks, etc. downloaded from source.

On the Plugins check screen where one sees the ‘install this update’ button the plugins needing updating are listed (actual directory location also shown).

the mdeploy.log consist of references such as this:

2014-01-07 11:11:44 === MDEPLOY EXECUTION START ===
2014-01-07 11:11:44 Successfully authorized using the passphrase file
2014-01-07 11:11:44 Plugin upgrade requested
2014-01-07 11:11:44 Downloading package https://moodle.org/plugins/download.php/5116/mod_certificate_moodle26_2013102300.zip
2014-01-07 11:12:09 Package downloaded into /var/www/moodledata/mdeploy/var/8366ae9971b015c41747e0644558452a.0.zip
2014-01-07 11:12:09 MD5 checksum ok
2014-01-07 11:12:09 Current plugin code location: /var/www/html/moodle/mod/certificate
2014-01-07 11:12:09 Moving the current code into archive: /var/www/moodledata/mdeploy/archive/certificate_1389114729.0
2014-01-07 11:12:09 Package successfully extracted

'spirit of sharing', Ken

Average of ratings: -
In reply to Ken Task

Re: Installation: "Secure the Moodle files".

by Howard Miller -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

I took the OP to mean the main Installation page in the docs (as Ernie Wise said, "what I wrote"). It's very difficult to generalise these points about file security. What I really wanted to put is "if you don't understand how your filesystem's permissions work then go away and don't come back until you do". In an ideal world, that would be the best advice. Unfortunately it doesn't work that way. 

Ken - you are talking about installing plugin updates through the UI. A handy feature but goes against the advice in the installation page. I *still* would advocate that you would change the permissions temporarily to allow the upgrade and then put them back. 

Again, it's incredibly hard to generalise - it depends on individual circumstances how paranoid you need to be or should be. 

We have people installing Moodle on XP and then allowing the public internet access. What is one to do?? :-O

Average of ratings: -
In reply to Howard Miller

Re: Installation: "Secure the Moodle files".

by Stuart Mealor -

"I *still* would advocate that you would change the permissions temporarily to allow the upgrade and then put them back."

Agreed.  That's pretty much what we do.
It's feel a bit odd though - changing directory permissions, then going back to the Moodle GUI to update, and then back to the CLI or whatever to change the directory permissions back.
If we are at the stage of changing the directory permissions, might as well just update the code there (e.g. unzip a plugin mod), rather than going back to the Moodle GUI to do it.

IF there was some way the Moodle GUI could use a password to change the permissions on the required plugin directory, install, and then change the permissions back that would be really cool. I'm not sure this is possible, as it would require some advanced secure interface -  something like Webmin or other similar.

Average of ratings: -