Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require write permissions only for relevant directories #40

Closed
nodiscc opened this issue Nov 5, 2014 · 6 comments · Fixed by #1604
Closed

Require write permissions only for relevant directories #40

nodiscc opened this issue Nov 5, 2014 · 6 comments · Fixed by #1604
Assignees
@virtualtam
Labels
enhancement security tools developer tools
Milestone
0.12.1

Comments

@nodiscc
Copy link
Member

nodiscc commented Nov 5, 2014

It is recommended to not give write access to all files to the webserver process (see https://wiki.debian.org/Apache/Hardening#File_permissions). The dirs for which write permissions are required are cache, data, pagecache and tmp, so we should only check these.

This allows to install shaarli with user/group someuser:www-data and permissions 640 (750 for dirs), except for these read/write dirs. The permissions can be stored in the git repository (so no extra chmod/chown commands required at install)

This was requested at sebsauvage#181, and discussed at #11 (comment)
This was referenced Nov 5, 2014
Closed
Closed
Closed
@nodiscc
Copy link
Member Author

nodiscc commented Nov 10, 2014

Git actually only stores the executable bit, not r/w permissions (https://stackoverflow.com/questions/3207728/retaining-file-permissions-with-git). So we can't store the permissions in the repo unfortunately.

The requirement/error essage for r/w permissions should still be fixed. I will add a paragraph to the wiki about the ideal permissions setup (everything owned by someoneelse:www-data, 640 for files, 750 for dirs. Only cache, data, pagecache and tmp should be 770). This might not be possible for everyone because on shared hosts you sometimes use FTP as the www-data user.

@nodiscc nodiscc added this to the 0.9beta milestone Dec 2, 2014
@nodiscc nodiscc mentioned this issue Feb 9, 2015
Closed
@nodiscc nodiscc self-assigned this Mar 11, 2015
@nodiscc nodiscc mentioned this issue Mar 11, 2015
Closed
@virtualtam virtualtam added the tools developer tools label Jul 11, 2015
@nodiscc
Copy link
Member Author

nodiscc commented Aug 5, 2015

Bumping this issue

https://github.com/shaarli/Shaarli/blob/master/index.php#L110

Can we check only ifrequired directories exist/are writable instead?
We can then remove the mkdir() calls.

@nodiscc nodiscc modified the milestones: 0.6.0, 0.9.0 Aug 5, 2015
@ArthurHoaro
Copy link
Member

Yes, we can check every directories individually. If it doesn't exist, we can create it though. The only issue is if it's not writable.

@nodiscc nodiscc removed their assignment Sep 29, 2015
@virtualtam
Copy link
Member

Hi all!
As nobody's currently assigned, I'd like to start working on this as part of #372 :)

Suggestion:

  • check whether file/folder permissions match the wiki's Shaarli configuration
  • display a warning message with all information, so the user doesn't have to play hide & seek with permissions to get Shaarli working

@virtualtam virtualtam modified the milestones: 0.6.1, 0.6.0 Nov 9, 2015
@virtualtam virtualtam mentioned this issue Nov 9, 2015
Closed
43 tasks
@virtualtam virtualtam self-assigned this Nov 10, 2015
@virtualtam virtualtam mentioned this issue Nov 11, 2015
Closed
12 tasks
virtualtam added a commit to virtualtam/Shaarli that referenced this issue Nov 11, 2015
@virtualtam
tools: check file/directory permissions for Shaarli resources
7cdffb3 
Closes shaarli#40

TODO:
 - factorize duplicated code
 - see whether having incorrect permissions for minor dirs should be blocking

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
@virtualtam virtualtam mentioned this issue Nov 11, 2015
Merged
virtualtam added a commit to virtualtam/Shaarli that referenced this issue Nov 17, 2015
@virtualtam
tools: check file/directory permissions for Shaarli resources
d3c30f2 
Closes shaarli#40

TODO:
 - factorize duplicated code
 - see whether having incorrect permissions for minor dirs should be blocking

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
virtualtam added a commit to virtualtam/Shaarli that referenced this issue Nov 17, 2015
@virtualtam
tools: check file/directory permissions for Shaarli resources
b59f5b7 
Closes shaarli#40

Additions:
 - FileUtils: IOException
 - ApplicationUtils:
   - check if Shaarli resources are accessible with sufficient permissions
   - redirect to an error summary when needed
 - index.php:
   - check access permissions and redirect to an error page if needed:
     - before running the first installation

Modifications:
 - LinkDB:
   - factorize datastore write code
   - check if the datastore
     (exists AND is writeable) OR (doesn't exist AND its parent dir is writable)
   - raise an IOException if needed

TODO:
 - index.php:
   - check access permissions and redirect to an error page if needed:
     - in case the datastore cannot be created/written
 - see whether having incorrect permissions for minor dirs should be blocking
 - add a Tools page to check resource access permissions

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
virtualtam added a commit to virtualtam/Shaarli that referenced this issue Nov 22, 2015
@virtualtam
tools: check file/directory permissions for Shaarli resources
1a0cc8b 
Closes shaarli#40

Additions:
 - FileUtils: IOException
 - ApplicationUtils:
   - check if Shaarli resources are accessible with sufficient permissions
   - redirect to an error summary when needed
 - index.php:
   - check access permissions and redirect to an error page if needed:
     - before running the first installation

Modifications:
 - LinkDB:
   - factorize datastore write code
   - check if the datastore
     (exists AND is writeable) OR (doesn't exist AND its parent dir is writable)
   - raise an IOException if needed

TODO:
 - index.php:
   - check access permissions and redirect to an error page if needed:
     - in case the datastore cannot be created/written
 - see whether having incorrect permissions for minor dirs should be blocking
 - add a Tools page to check resource access permissions

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
virtualtam added a commit to virtualtam/Shaarli that referenced this issue Nov 22, 2015
@virtualtam
install: check file/directory permissions for Shaarli resources
4d82a5d 
Relates to shaarli#40

Additions:
 - FileUtils: IOException
 - ApplicationUtils:
   - check if Shaarli resources are accessible with sufficient permissions
 - index.php:
   - check access permissions and redirect to an error page if needed:
     - before running the first installation

Modifications:
 - LinkDB:
   - factorize datastore write code
   - check if the datastore
     (exists AND is writeable) OR (doesn't exist AND its parent dir is writable)
   - raise an IOException if needed

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
@ArthurHoaro ArthurHoaro modified the milestones: 0.7.1, 0.7.0 May 14, 2016
@virtualtam virtualtam modified the milestones: 0.9.0, 0.8.0 Jul 23, 2016
@ArthurHoaro ArthurHoaro modified the milestones: 0.9.0, 0.9.1 Jan 25, 2017
@virtualtam virtualtam modified the milestones: 0.10.0, 0.9.1 Jul 29, 2017
@virtualtam virtualtam modified the milestones: 0.10.0, 0.10.1 Jan 10, 2018
@virtualtam virtualtam mentioned this issue Apr 1, 2018
Merged
@ArthurHoaro ArthurHoaro modified the milestones: 0.10.1, 0.10.2 Jul 29, 2018
@ArthurHoaro ArthurHoaro modified the milestones: 0.10.2, 0.10.3 Aug 11, 2018
@virtualtam virtualtam modified the milestones: 0.10.3, 0.11.0 Feb 23, 2019
@ArthurHoaro ArthurHoaro modified the milestones: 0.11.0, 0.11.1 Jul 27, 2019
@ArthurHoaro ArthurHoaro modified the milestones: 0.11.1, 0.11.2 Aug 7, 2019
@ArthurHoaro ArthurHoaro modified the milestones: 0.12.0, 0.12.1 Sep 3, 2020
ArthurHoaro added a commit to ArthurHoaro/Shaarli that referenced this issue Oct 21, 2020
@ArthurHoaro
Feature: add a Server administration page
d5b99cf 
It contains mostly read only information about the current Shaarli instance,
PHP version, extensions, file and folder permissions, etc.
Also action buttons to clear the cache or sync thumbnails.

Part of the content of this page is also displayed on the install page,
to check server requirement before installing Shaarli config file.

Fixes shaarli#40
Fixes shaarli#185
ArthurHoaro added a commit to ArthurHoaro/Shaarli that referenced this issue Oct 21, 2020
@ArthurHoaro
Feature: add a Server administration page
b968c9f 
It contains mostly read only information about the current Shaarli instance,
PHP version, extensions, file and folder permissions, etc.
Also action buttons to clear the cache or sync thumbnails.

Part of the content of this page is also displayed on the install page,
to check server requirement before installing Shaarli config file.

Fixes shaarli#40
Fixes shaarli#185
ArthurHoaro added a commit to ArthurHoaro/Shaarli that referenced this issue Oct 21, 2020
@ArthurHoaro
Feature: add a Server administration page
0cf76cc 
It contains mostly read only information about the current Shaarli instance,
PHP version, extensions, file and folder permissions, etc.
Also action buttons to clear the cache or sync thumbnails.

Part of the content of this page is also displayed on the install page,
to check server requirement before installing Shaarli config file.

Fixes shaarli#40
Fixes shaarli#185
@ArthurHoaro ArthurHoaro mentioned this issue Oct 21, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@virtualtam virtualtam

Labels
enhancement security tools developer tools
Projects
None yet
Milestone
0.12.1
Development

Successfully merging a pull request may close this issue.

Feature: add a Server administration page ArthurHoaro/Shaarli
3 participants
@virtualtam @ArthurHoaro @nodiscc