Actions

Talk

Difference between revisions of "Moving sensitive files outside the web root"

From Joomla! Documentation

m (This page should probably be moved.: Answer)
(Looks Good: new section)
 
Line 26: Line 26:
  
 
:Hi Phil, If I'm understanding you right, strip all categories and use a new one called [[:Category:Security Archives]]. Then update the [[Security]] page to show archived security articles in a new box or DPL'd from the category. [[User:Hutchy68|Tom Hutchison]] ([[User talk:Hutchy68|talk]]) 07:43, 15 November 2012 (CST)
 
:Hi Phil, If I'm understanding you right, strip all categories and use a new one called [[:Category:Security Archives]]. Then update the [[Security]] page to show archived security articles in a new box or DPL'd from the category. [[User:Hutchy68|Tom Hutchison]] ([[User talk:Hutchy68|talk]]) 07:43, 15 November 2012 (CST)
 +
 +
== Looks Good ==
 +
 +
The page archive looks good.

Latest revision as of 11:35, 26 November 2012

Using symlinks?

Can the same kind of security not be reached using a symlink on *nix systems? So you place the configuration.php above the webroot and place a symlink from the original position to the new place of the configuration.php?

Contents

Symlinks defeat this.

Normally, web servers will follow symlinks. (although this is configurable on most web servers.)

If you move files out of the web root and make a symlink to them the files are still readable by the world.

The advantage of moving read only files out of the web root and making a symbolic link to them is that it allows you to segment your auditing of your server, and allows things as simple as find -type f to locate all files to be audited after a suspected intrusion.

Further more, symlinks can cause certain attacks to fail as they are based on assumptions that are not true.

I am a big fan of symlinks, but they are no substitute for not allowing access to the files in question.

Discussion on the forum

Moving the reference to the discussion on the forum over to this page. Thread on the forum: forum topic

This page should probably be moved.

As the page notice indicates, the security information on this page is generally accepted by the security moderators as no longer relevant and provides no additional or very minimal additional security to a website. This page currently remains for historical purposes and should either be deleted, removed from the multiple categories it currently resides in and moved into the new security area.

phild (talk) 17:48, 13 November 2012 (CST)

Hi Phil, If I'm understanding you right, strip all categories and use a new one called Category:Security Archives. Then update the Security page to show archived security articles in a new box or DPL'd from the category. Tom Hutchison (talk) 07:43, 15 November 2012 (CST)

Looks Good

The page archive looks good.