My admin/index.php is wide open

My admin/index.php is wide open

av John D -
Antal svar: 18

Hi, 

I'm installing moodle for the first time, and just now I found that my admin/index.php page is wide open.

Anyone can get in there without login, and can even do "Upgrade moodle database", which can be devastating.

How to protect my admin/index.php to only admin please?
(I did the moodle installation via some docker container)

Thanks

Genomsnitt av betyg: -
Som svar till John D

Re: My admin/index.php is wide open

av Ken Task -
Bild på Particularly helpful Moodlers

Is the moodle actually installed?

Until it is, the site will throw any access to the code into installing.

'SoS', Ken

Som svar till Ken Task

Re: My admin/index.php is wide open

av John D -
Yes, it is installed (v4.1), just as you said, otherwise the site will throw any access into installing, whereas my site can do normal login, just nothing there yet. 

Maybe an empty site will have an open admin/index.php ?
Som svar till John D

Re: My admin/index.php is wide open

av Ken Task -
Bild på Particularly helpful Moodlers

If installed and you didn't create any new categories or courses, it's pretty much bare but it does require login to access any /admin/ area.  You have only 2 users ... admin (if left for defaults) and guest - which has no password, but shouldn't see /admin/.

You did say 'some docker image' ... was it this one:

https://github.com/moodlehq/moodle-docker

'SoS', Ken

Som svar till Ken Task

Re: My admin/index.php is wide open

av John D -
Hmm, actually it is a docker image that I found somewhere in the moodle form --
https://github.com/thepurpleblob/DockerMoodle, of which, the moodle is downloaded from the official site (by me manually) and put into the designated place/slot, then the magic just happens.
 
Som svar till John D

Re: My admin/index.php is wide open

av Ken Task -
Bild på Particularly helpful Moodlers

Since it's not 'official' docker from MoodleHQ, maybe the best place to get resolution is:

https://github.com/thepurpleblob/DockerMoodle/issues

'SoS', Ken

Som svar till Ken Task

Re: My admin/index.php is wide open

av John D -
Well, I found where I got it
https://moodle.org/mod/forum/discuss.php?d=459156#p1844097

and there's no support there.

> Please note that there was no intention to provide or support this beyond my own use.

Although it's not 'official' docker from MoodleHQ, it's official moodle from the official moodle download.
Som svar till John D

nginx.conf to protect my admin/index.php

av John D -
Ah, I know what might be the problem -- there is just this single rule in nginx.conf:

https://github.com/thepurpleblob/DockerMoodle/blob/c3ba1e0d5cf9f18baccb4d23350e0c54b9cbd6a9/nginx.conf#L16-L24

I.e., the admin page might have been treated nothing differently from normal pages.
Som svar till John D

Re: nginx.conf to protect my admin/index.php

av Ken Task -
Bild på Particularly helpful Moodlers

Does this mean you have solved your issue?

AMP stack is really simple ... Apache/MySQL/PHP(perl/python) .. *if* you build it. When one takes something built by others, complications could raise their ugly heads.
Best source of support is the person who built it, but, as it says, no support.


Official Moodle docs on nginx
https://docs.moodle.org/404/en/Nginx

Here's a thread ...
https://moodle.org/mod/forum/discuss.php?d=322457


Consider this ... the docker was supposed to save you time and do the 'heavy lifting' for AMP stack.   I wonder how much time it's really saved you.   Kinda like Bitnami ... yes, it does allow one to easily get up and running ... without really knowing how it was built ... where everything related to AMP stack + app (moodle in this case) was installed and configured.   Things are great at first ... but then something happens, Bitnami users come to moodle forums for resolutions to problems.    Suggestions from forum users don't work cause most folks here a thinking in terms of 'standard' AMP stack.

Am Docker and Bitnami void ... so question ... a zero day flaw is found in something AMP.  Fix is released as soon as a fix is available.  Can a Docker/Bitnami upgrade just the part of AMP stack that needs fixing?

The only way one could find out is to learn to build a box from scratch using native package manager.

When one ventures from 'standard' and the further from 'standard' one ventures, the more one is on their own! leende

'SoS', Ken

Som svar till Ken Task

Re: nginx.conf to protect my admin/index.php

av John D -
> Does this mean you have solved your issue?

No I haven't.

I've searched everywhere and I now believe that nobody has talked/looked-into it before.

Even the official moodle doc on Nginx doesn't mention anything about any special treatment of the /admin paths:
https://docs.moodle.org/404/en/Nginx

So, IMHO, it's either have been overlooked by everyone, or it's moodle's internal config, unrelated to which web server hosting it.
Som svar till John D

Re: nginx.conf to protect my admin/index.php

av Ken Task -
Bild på Particularly helpful Moodlers

Congrats!   You've gone where no man/woman has gone before! :|

Can only encourage you to keep digging ... and when you do find the resolution, update the docs for nginx. leende

'SoS', Ken

Som svar till John D

Re: My admin/index.php is wide open

av Paul Holden -
Bild på Core developers Bild på Moodle HQ Bild på Moodle Workplace team Bild på Particularly helpful Moodlers Bild på Peer reviewers Bild på Plugin developers Bild på Testers

Hi John, no need to panic - just add the following to your site config:

$CFG->upgradekey = 'somelongpasswordthatyouknowandwontsharewithanyone';

Som svar till Paul Holden

Re: My admin/index.php is wide open

av John D -
Thanks Paul, 
 
I took a closer look:

Upgrade key

If the upgrade key is defined here, then the value must be provided every time
the site is being upgraded though the web interface, regardless of whether the
administrator is logged in or not. This prevents anonymous access to the upgrade
screens where the real authentication and authorization mechanisms can not be
relied on.
Yes, setting that will have my upgrade web interface protected, however, I don't know how many `/admin/` pages are out there in moodles, but my end goal is to protect any of the `/admin/` pages, not just the upgrade.
 
Som svar till John D

Re: My admin/index.php is wide open

av Emma Richardson -
Bild på Documentation writers Bild på Particularly helpful Moodlers Bild på Plugin developers
I remember this used to happen during upgrades only but really your site should be in maintenance mode during any upgrade which would stop this behavior. I have never seen other pages exposed and have not seen the upgrade page appear for a few years now.
While I get that your downloader downloaded from Moodle, I would be a little concerned at using another docker image than the basic HQ one - who knows what else might be in there...however, Howard is a regular on these forums and I would trust that there is nothing intentionally bad in there!
Som svar till Emma Richardson

Re: My admin/index.php is wide open

av John D -
Thanks for your consideration.

Unlike most people here, I came into the moodle world as a programmer, i.e., docker is something that we use all the time, and there is nothing special or mystery about them.

I.e., for "who knows what else might be in there", once you know docker, and have checked the (only few) config files it has, it will not be a concern at all. But I do agree with you that we need to check before use first.
Som svar till John D

Re: My admin/index.php is wide open

av Emma Richardson -
Bild på Documentation writers Bild på Particularly helpful Moodlers Bild på Plugin developers
I figured you had looked at it - it is strange though - my site/admin/index is definitely not open to the world - using apache on debian...the only time I have ever seen that behavior was during an upgrade and it was very concerning - I use the upgrade key to stop that but have also thought that maintenance mode also stops that. Is or was your admin index page open when it is was not installing or upgrading something?
Som svar till Emma Richardson

Re: My admin/index.php is wide open

av John D -
> the only time I have ever seen that behavior was during an upgrade...

Thank you for bearing with me, as I just realize that I'm too new to moodle to observe then properly describe what's happening to me.

> Is or was your admin index page open when it is was not installing or upgrading something?

And I just realize that this is exactly the problem -- as every time I login, as admin, the only account setup on my test site, I'm getting into the admin/index.php page, and the only way out is to follow the flow and do the upgrade, at least that looks to me.

I guess my problem is closely related to my previous problem:

This plugin is already installed on the site
https://moodle.org/mod/forum/discuss.php?d=460738

whereas I cannot Uninstall or force a reinstall a broken plugin. Because of that,

Now I see that I have two missing dependencies, and three Plugins requiring attention.

All in all, I guess you've spot where the problem is and your reply is the answer to this question.
Som svar till John D

Re: My admin/index.php is wide open

av Ken Task -
Bild på Particularly helpful Moodlers

Congrats, Emma! leende.  So due to environment check and plugins issue, site was never installed/upgraded and that's why we kept getting sent to /admin/.

Now  some suggestions ...

Do you still have the issue of a plugin you cannot un-install?

There is CLI script in admin/cli/ called uninstall_plugins.php

Run without parameters will bring up help screen from which you an choose/try the options.

Might have to manually remove the offending code folder/directory and moodle will complain, but we know why it's 'missing from disk'!  Press on ... go forward anyway.

Check environment using cli checks.php

Try the upgrade via command line - in cli there is a upgrade.php ... it does do an environment check prior to attempting.   If there are errors ... fix 'em!   Then try again.

All the above can be done when site is in the maintenance mode - which can be turned on and off with another cli script:

php maintenance.php --enable

php maintenance.php --disable

'SoS', Ken

Som svar till John D

Re: My admin/index.php is wide open

av Emma Richardson -
Bild på Documentation writers Bild på Particularly helpful Moodlers Bild på Plugin developers
Download the new version of the h5p mod manually and put it in the folder where you deleted the old h5p plugin...then refresh your webpage and you should be able to continue through the installation part and get to the actual site...