Difference between revisions of "Moving sensitive files outside the web root"
From Joomla! Documentation
m (→This page should probably be moved.: Answer) |
|||
| (3 intermediate revisions by 3 users not shown) | |||
| Line 2: | Line 2: | ||
Can the same kind of security not be reached using a symlink on *nix systems? So you place the configuration.php above the webroot and place a symlink from the original position to the new place of the configuration.php? | Can the same kind of security not be reached using a symlink on *nix systems? So you place the configuration.php above the webroot and place a symlink from the original position to the new place of the configuration.php? | ||
| + | |||
| + | == Symlinks defeat this. == | ||
| + | |||
| + | Normally, web servers will follow symlinks. (although this is configurable on most web servers.) | ||
| + | |||
| + | If you move files out of the web root and make a symlink to them the files are still readable by the world. | ||
| + | |||
| + | The advantage of moving read only files out of the web root and making a symbolic link to them is that it allows you to segment your auditing of your server, and allows things as simple as find -type f to locate all files to be audited after a suspected intrusion. | ||
| + | |||
| + | Further more, symlinks can cause certain attacks to fail as they are based on assumptions that are not true. | ||
| + | |||
| + | I am a big fan of symlinks, but they are no substitute for not allowing access to the files in question. | ||
| + | |||
| + | == Discussion on the forum == | ||
| + | |||
| + | Moving the reference to the discussion on the forum over to this page. Thread on the forum: [http://forum.joomla.org/viewtopic.php?f=432&t=490901 forum topic] | ||
| + | |||
| + | == This page should probably be moved. == | ||
| + | |||
| + | As the page notice indicates, the security information on this page is generally accepted by the security moderators as no longer relevant and provides no additional or very minimal additional security to a website. This page currently remains for historical purposes and should either be deleted, removed from the multiple categories it currently resides in and moved into the new security area. | ||
| + | |||
| + | [[User:Phild|phild]] ([[User talk:Phild|talk]]) 17:48, 13 November 2012 (CST) | ||
| + | |||
| + | :Hi Phil, If I'm understanding you right, strip all categories and use a new one called [[:Category:Security Archives]]. Then update the [[Security]] page to show archived security articles in a new box or DPL'd from the category. [[User:Hutchy68|Tom Hutchison]] ([[User talk:Hutchy68|talk]]) 07:43, 15 November 2012 (CST) | ||
Revision as of 08:43, 15 November 2012
Using symlinks?
Can the same kind of security not be reached using a symlink on *nix systems? So you place the configuration.php above the webroot and place a symlink from the original position to the new place of the configuration.php?
Symlinks defeat this.[edit]
Normally, web servers will follow symlinks. (although this is configurable on most web servers.)
If you move files out of the web root and make a symlink to them the files are still readable by the world.
The advantage of moving read only files out of the web root and making a symbolic link to them is that it allows you to segment your auditing of your server, and allows things as simple as find -type f to locate all files to be audited after a suspected intrusion.
Further more, symlinks can cause certain attacks to fail as they are based on assumptions that are not true.
I am a big fan of symlinks, but they are no substitute for not allowing access to the files in question.
Discussion on the forum[edit]
Moving the reference to the discussion on the forum over to this page. Thread on the forum: forum topic
This page should probably be moved.[edit]
As the page notice indicates, the security information on this page is generally accepted by the security moderators as no longer relevant and provides no additional or very minimal additional security to a website. This page currently remains for historical purposes and should either be deleted, removed from the multiple categories it currently resides in and moved into the new security area.
phild (talk) 17:48, 13 November 2012 (CST)
- Hi Phil, If I'm understanding you right, strip all categories and use a new one called Category:Security Archives. Then update the Security page to show archived security articles in a new box or DPL'd from the category. Tom Hutchison (talk) 07:43, 15 November 2012 (CST)