I have LAMP (Debian) site where DocumentRoot is /var/www/moodle and moodledata is /var/www/moodledata. Yet > Site administration > Reports > Security overview says, "Serious: Your dataroot directory /var/www/moodledata is in the wrong location and might be exposed to the web. etc." Is this a bug?
Moodle 2.7.11+ (Build: 20151110)
For security reasons Moodle wants your moodledata to be a level down e.g. /var/moodledata to ensure it's not accessible from the internet.
From memory I think the docs also explains how to use an .htaccesss file to secure it if it's not possible to move it out of the web root.
Hi
You wrote:
> ... Moodle wants your moodledata to be a level down e.g. /var/moodledata to ensure it's not accessible from the internet.
I have no /var/moodledata, only /var/www/moodledata. And it is not in the service area of Apache since my DocumentRoot is /var/www/moodle.
> From memory I think the docs also explains how to use an .htaccesss file to secure it if it's not possible to move it out of the web root.
I don't see a reason for a .htaccess in such a straight forward case.
You wrote:
> ... Moodle wants your moodledata to be a level down e.g. /var/moodledata to ensure it's not accessible from the internet.
I have no /var/moodledata, only /var/www/moodledata. And it is not in the service area of Apache since my DocumentRoot is /var/www/moodle.
> From memory I think the docs also explains how to use an .htaccesss file to secure it if it's not possible to move it out of the web root.
I don't see a reason for a .htaccess in such a straight forward case.
My guess, and it is just that, is that /var/wwwroot is a common place from which websites are served. I rather doubt that Moodle can know whether it is used as a DocumentRoot or not. Therefore it probably just compares it to a list of standard places and says "it's not a good idea to put it there" because in many cases with less informed admins, it would be a security risk.
Oh, please! Who was talking about a /var/wwwroot? I had only a /var/www/moodledata and a /var/www/moodle all along!
A string comparison like what you suggest will never work. Or to put it differently, such a vague comparison should not give a _serious_ warning!
A string comparison like what you suggest will never work. Or to put it differently, such a vague comparison should not give a _serious_ warning!
In a CentOS server, apache set to use 'DocumentRoot' as /var/www/html/ - where the web pages live. Apache, as an app and as apache user/group is configured to use /var/www/ ... so on a CentOS box, moodledata can go into /var/www/ cause it's NOT document root for apache.
You can change document root in your apache config to point to /var/www/moodle IF you are only serving Moodle from that instance of apache. Your apache app/user root is still /var/www/ then and Moodle shouldn't complain about it.
'spirit of sharing', Ken
Hi Ken
You said:
> You can change document root in your apache config to point to /var/www/moodle IF you are only serving Moodle from that instance of apache.
That is exactly what I am doing. The Moodle server has the URL http://example.com, i.e. no 'moodle' anywhere. Apache configuration carries the line:
IMHO Moodle should detect it and understand that
> Your apache app/user root is still /var/www/ then and Moodle shouldn't complain about it.
I don't understand that.
You said:
> You can change document root in your apache config to point to /var/www/moodle IF you are only serving Moodle from that instance of apache.
That is exactly what I am doing. The Moodle server has the URL http://example.com, i.e. no 'moodle' anywhere. Apache configuration carries the line:
DocumentRoot /var/www/moodledata
IMHO Moodle should detect it and understand that
$CFG->dataroot = '/var/www/moodledata';in config.php is no danger. Or, is it?
> Your apache app/user root is still /var/www/ then and Moodle shouldn't complain about it.
I don't understand that.
The following for CentOS ... could be different with Debian based but there should be a way to do something similar in ANY Linux.
From the httpd.conf file:
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"
On Moodle servers I help admin I add the moodle code directory to the above path. So that it now reads:
DocumentRoot "/var/www/html/moodle"
Restart the apache service ... on CentOS that's httpd: /sbin/service httpd restart
And now, rather than Apache serving anything in /var/www/html/ it will serve out anything in /var/www/html/moodle/ (ie, the Moodle index.php page becomes the 'home page').
Since apache user/group already had access rights to /var/www as the user: apache and group: apache on a CentOS box, one can use /var/www/moodledata AND Moodle will not complain.
On CentOS, one normally finds cgi-bin,error,icons in manual in /var/www/ ... those are directories to which the apache user/group has access but one cannot browse cgi-bin nor error, nor manual
So that's why moodledata goes in /var/www/
Check whatever file is used to config your apache.
See what's contained in the first Directory declarations:
<Directory "/var/www/html">
Now if we are talking ubuntu/debian ... then you might have to manually create some directories and set owership/permissons due to how the apache server is configured to use /var/www/ as document root .
You could tell those flavors to use /var/www/html just like CentOS boxen ... put moodlecode in /var/www/html/ and then moodledata could go in /var/www/ such that Moodle checking won't complain.
'spirit of sharing', Ken
Ken
I have a vague idea on how to configure Apache, not only in Linux also in other Unix flavours.
My argument is that, I am doing it right (see my first post) but still Moodle complains of a _serious_ security weakness. I know that there are other ways of doing what I am doing, but don't tell me to do it another way, unless you say, and substantiate, what I am doing is wrong.
I have a vague idea on how to configure Apache, not only in Linux also in other Unix flavours.
My argument is that, I am doing it right (see my first post) but still Moodle complains of a _serious_ security weakness. I know that there are other ways of doing what I am doing, but don't tell me to do it another way, unless you say, and substantiate, what I am doing is wrong.
This seems to be one of your favorite pet peeves - (yet again). ;)
All I can tell you at this point is that using RedHat family servers (RHEL, Fedora, CentOS) your issue is a non issue. Examples I provided were about that family of server OS's.
I know of some very knowledgeable RedHat Certified Engineers who purposely change the 'standard configs' of many things ... the theory is standard configs are known (it's *open* source) ... changing them means someone will have a harder time detecting to do their dirty deed. Wanna-be hackers are easily foiled.
When it comes to Linux, maybe one should consider ... picking own 'poison' (so to speak) and thus one needs to also consider their own 'antidote'! ;)
Suggest checking into the code related to installation and the checking that does and what results for you as a serious warning.
Learned a lesson ... if I don't have experience in the specific chosen 'poison' you run, don't respond ... don't attempt to help.
So here's another suggestion ... place at the end of your posting something to the affect ...
'non-Debian users, please do NOT respond' ...
This is your thread so you have the last word here ... for me ... outta here! ;)
'spirit of sharing', Ken
Correction to my previous post:
DocumentRoot /var/www/moodledata
Ya know, IF *we* could get all the Linux distro folks to actually decide a 'standard' in LSB - Linux Standards Base - then this issue would become a non-issue ... for Moodle. But, alas, just like other 'biggies', they can be 'frienimes' at times and at other times going for each others throats. Even Google is less 'less evil' now a days.
Know anyone on the 'working group' for LSB?
This is one of those things that frustrates the HE-- out of ya, but ... that's life!
'spirit of sharing', Ken
Ken, your assertion is wrong. If a question doesn't have five answers it is not about Unix!
Unix is not the mono-culture the Microsoft (and many others) like to cultivate. What do you think, why have Thompson and Ritchie (re)invented Multics? They wanted to have it their way!
Unix is not the mono-culture the Microsoft (and many others) like to cultivate. What do you think, why have Thompson and Ritchie (re)invented Multics? They wanted to have it their way!
Shifted to the General developer forum:
"How does the function 'is_dataroot_insecure()' work?"
https://moodle.org/mod/forum/discuss.php?d=323209
"How does the function 'is_dataroot_insecure()' work?"
https://moodle.org/mod/forum/discuss.php?d=323209