Security, posting applet,

Security, posting applet,

by Warren Cole -
Number of replies: 4

1.  My Host requires that any databases have my root ID and password.  I have been able to configure and run moodle on that basis.  Your installation instructions, however, suggest that that is a security risk.  Can you help me understand the risk and suggest what I can do about it under these circumstances (other than changes hosts!)?

2.  The applet that creates the type-in box for these postings runs VERY SLOWLY on my machine, so I am typing way ahead of what displays on the screen.  Is that a function of RAM, processor speed, something I can change or optimize?

3.  I have seen references to .htaccess and apparant references to security.  Where should .htaccess live, how do I get it there?  My Host doesn't allow .htaccess files to be displayed and edited by customers.  They want to do that stuff themselves so I have to be real specific on what needs done and where. 

I am very impressed with Moodle and look forward to using it further.  As my kids would say:  "You Rock!"

Average of ratings: -
In reply to Warren Cole

Re: Security, posting applet,

by Martin Dougiamas -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
1. The risk is that if someone managed to get access to your config.php, or if they intercepted the password being used between machines, then they might be able to delete all your databases. I don't think you need to worry in your situation.

2. The speed of the richtext editor is totally a client thing. You can switch it off completely in the user preferences if it's a hassle.

3. .htaccess is just a file containing Apache commands. You might put one in the root folder of Moodle to set some PHP variables, and you might put one within your moodledata directory to prevent all outside read access (if your moodledata directory is in your public web space). Examples of the former are in the lib/htaccess file. To do the latter the file just needs to contain "deny from all".
Average of ratings: -
In reply to Martin Dougiamas

Re: Security, posting applet,

by John Windmueller -

I''ve yet to use .htaccess to restrict outside access to a file--see, installing and configuring Moodle really is do-able for complete technical newbies smiley.gif

Anyhow, would I use chmod or .htaccess in order to restrict a user's ability to view the config.php file?  And if so, any suggestions on proper settings?

Thanks,
John
p.s. First cron and now .htaccess and/or chmod... I tell you, at this rate you'll have good dissertation fodder about the role of Moodle as a heuristic device for helping non-tech-oriented faculty learn more about IT issues than they ever thought possible wink.gif

 

Average of ratings: -
In reply to John Windmueller

Re: Security, posting applet,

by Martin Dougiamas -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
.htaccess is for protection from the web. There's no need to protect config.php itself, because nothing shows anyway, eg http://moodle.com/config.php

The problem is if a hacker managed to gain shell access to the system through some other means (eg they might have your login account), and was then able to view the config.php as a raw file. They might then see the database user/password in there and run amuck with your data.

config.php has to stay readable to the web server process (so that Moodle works) and your account (so you can edit it) so there's not much you can do to chmod config.php either.

Basically the best solution for all this is to use a database account with limited capability and keep backups. Don't worry too much about all this, it's just about reducing risk in a hypothetical and fairly rare situation.
Average of ratings: -