Relationship Graph | View Issue Dependency Graph | |||
|
||||
|
View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
14621 | Feature requests | [All Projects] Security | public | 2019-03-08 22:54 | 2019-04-12 12:49 |
Reporter | ollehar | Assigned To | |||
Priority | none | Severity | feature | ||
Status | new | Resolution | open | ||
Product Version | |||||
Target Version | Fixed in Version | ||||
Summary | 14621: Hardening PHP during installation | ||||
Description | During the installation, warnings should be shown if PHP is in a insecure setting, e.g. if open_basedir is empty. | ||||
Tags | No tags attached. | ||||
@DenisChenu Any thoughts? |
|
open_basedir also need upload_tmp_dir and session.save_path and /dev/urandom. Other tips: https://howtogetonline.com/how-to-harden-your-php-for-better-security.php Argument against configuration: https://paragonie.com/blog/2017/01/configuration-driven-php-security-advice-considered-harmful |
|
I have a lot of system where open_basedir is badly set, for example : path:/usr/php;. but open_basedir to . only. I'm totally unsure if we need to try to fix server security issue. Do you know a free tool who check that ? Eles : |
|
Default settings on /etc/passwd is -rw-r--r--, which means readable by all users, including a web user like www-data. |
|
Right, but we must disallow reading files in open_basedir too : application/config/config.php is a good example. |
|
About open_base_dir : https://www.limesurvey.org/forum/can-i-do-this-with-limesurvey/117910-excel-error-in-statistical-output-format#181576 set_include_path("."); work with limesurvey, but maybe not what user want :) Else on some server : ini_set can be used |
|
in config.php Then maybe can update default config.php to |
|
@ollehar : i attch some security issue to this one, because i think Limesurvey must be "Secure proof" before give advice … |
|
True. I was discussing on the ##php IRC channel about it, too. There's really no good way to check if your server is secure on the PHP level. You can check if the web user has access to this or that file, and recommend that it shouldn't, but there's no way to check if you are running in a secure container, jail or virtual machine. "container > chroot > open_basedir" |
|
This script could maybe be used in the security tab? "Extra PHP security check". https://github.com/sektioneins/pcc |
|
See https://github.com/sektioneins/pcc/blob/master/phpconfigcheck.php#L162 And super admin user are not always the server manager … |
|
Found an issue about
Fixed with |
|
Update the fix |
|
@ollehar : maybe we can update the default generated config.php file when install ?
Maybe this 3 can have option when install. Then we secure new installation by default ? PS : 1st step is to have a config-generation.php file : most easy to update, with some replacement to do ( [REPLACEMENT] ? ) |
|
About security, maybe adding (when install).
And for fu_file |
|
Current test
But need runtimePath available when install |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2019-03-08 22:54 | ollehar | New Issue | |
2019-03-08 22:54 | ollehar | Note Added: 50873 | |
2019-03-08 22:58 | ollehar | Note Added: 50874 | |
2019-03-08 23:38 | DenisChenu | Note Added: 50875 | |
2019-03-08 23:38 | DenisChenu | Note Edited: 50875 | View Revisions |
2019-03-08 23:51 | ollehar | Note Edited: 50874 | View Revisions |
2019-03-08 23:56 | ollehar | Note Added: 50879 | |
2019-03-09 00:40 | DenisChenu | Note Added: 50883 | |
2019-03-12 12:11 | DenisChenu | Note Added: 50916 | |
2019-03-12 12:14 | DenisChenu | Note Edited: 50916 | View Revisions |
2019-03-12 12:19 | DenisChenu | Note Added: 50917 | |
2019-03-12 12:19 | DenisChenu | Note Edited: 50917 | View Revisions |
2019-03-12 12:19 | DenisChenu | Note Edited: 50917 | View Revisions |
2019-03-12 12:20 | DenisChenu | Note Edited: 50917 | View Revisions |
2019-03-12 15:32 | DenisChenu | Relationship added | related to 14637 |
2019-03-12 15:32 | DenisChenu | Relationship deleted | related to 14637 |
2019-03-12 15:32 | DenisChenu | Relationship added | child of 14637 |
2019-03-12 15:35 | DenisChenu | Relationship added | related to 12603 |
2019-03-12 15:35 | DenisChenu | Relationship deleted | child of 14637 |
2019-03-12 15:35 | DenisChenu | Relationship added | related to 14637 |
2019-03-12 15:35 | DenisChenu | Relationship added | related to 14408 |
2019-03-12 15:40 | DenisChenu | Note Added: 50925 | |
2019-03-12 15:44 | ollehar | Note Added: 50926 | |
2019-03-12 16:32 | ollehar | Note Added: 50929 | |
2019-03-12 17:48 | DenisChenu | Note Added: 50932 | |
2019-03-13 08:47 | DenisChenu | Note Added: 50939 | |
2019-03-13 09:00 | DenisChenu | Note Edited: 50939 | View Revisions |
2019-03-15 07:59 | DenisChenu | Relationship added | related to 14643 |
2019-03-19 08:50 | DenisChenu | Note Added: 51046 | |
2019-03-19 08:52 | DenisChenu | Note Added: 51047 | |
2019-03-19 08:54 | DenisChenu | Note Edited: 51047 | View Revisions |
2019-03-27 12:19 | DenisChenu | Note Added: 51163 | |
2019-04-08 16:05 | DenisChenu | Note Added: 51418 | |
2019-04-12 12:49 | DenisChenu | Relationship added | related to 14772 |