Jump to content


Photo

Security Settings Guideline for Zurmo/Yii

security chmod installation

  • Please log in to reply
No replies to this topic

#1 Burke

Burke

    Advanced Member

  • Members
  • PipPipPip
  • 40 posts
  • LocationLawrenceville, GA

Posted 23 April 2015 - 02:00 AM

I found this from an article on the Yii website, Yii is the underlying open source framework that the developers of Zurmo have built their application on.

 

I have not gone through and tested this, but should help most people get at least close to what is needed on their servers.

 

I hope it helps

 

http://www.yiiframew...lications/#hh18

For a Yii application 

The directory containing the framework should not be under the document root of your server (there is no reason a user could access to files like "yiilite.php" in its web browser).

Three directories must be writable by the web server: "assets", "protected/data" and "protected/runtime".The web server should only have read access to everything else. This way, an attacker could only create/modify a file in these directories. The folder "assets" is especially dangerous since it is writable, and there is a direct HTTP access to it. Therefore, the PHP files it contains should not be interpreted but treated as plain text (see the example below).

Yii's default application have ".htaccess" files to forbid direct web access to "protected/" and "themes/classic/views/". It is a bit safer (and faster) to put this configuration in the global configuration of Apache. Here is an example that also disables PHP files in "assets/".

[apache]
# Example config for Yii-myapp and Apache
# Please set the pathes to their right values

# put the application in some custom url
# (instead of an Apache alias, a symbolic link can be used)
Alias /web/path/for/myapp "/home/myapp/www"

<Directory "/home/myapp/www">
AllowOverride None
</Directory>

<Directory "/home/myapp/www/protected">
Deny from All
</Directory>

<Directory "/home/myapp/www/assets">
php_admin_flag engine off
Options -Indexes
</Directory>

Instead of the previous configuration, here is an example of putting a Yii application in a Virtual Host. Each securing directive has an explaining comment.

[apache]
# Example config for Yii-myapp as an Apache VirtualHost
# Please set the paths and the host name to their right values

<VirtualHost *:80>
ServerName myapp.com
DocumentRootAlias /home/myapp/www

ErrorLog /var/log/apache2/myapp-error.log
CustomLog /var/log/apache2/myapp-access.log common

<Directory "/home/myapp/www">
Options +FollowSymLinks
# These 2 lines are useless with modern PHP
php_flag register_globals Off
php_flag gpc_magic_quotes Off
# Forbid .htaccess to change settings
AllowOverride None

<IfModule mod_rewrite.c>
# The following block is for masking "index.php" in the url
# To enable it, configure the app: urlManager.showScriptName = false
IndexIgnore */*
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php
</IfModule>
</Directory>

# Forbid direct access to this directory
<Directory "/home/myapp/www/protected">
Deny from All
</Directory>

# protect several non-PHP directories
<DirectoryMatch "/home/myapp/www/(assets|css|images|js)$">
# Forbid execution of PHP scripts
php_admin_flag engine off
# Forbid listing of files
Options -Indexes
</DirectoryMatch>
</VirtualHost>

For every PHP project 

A few useful directives:

Directive Comment allow_url_include Should be off (PHP 5.2). register_globals This is obsolete and dangerous. Should be off. magic_quotes_gpc Important for many PHP applications, but Yii negates its effect. Should be off. open_basedir Can restrict PHP to access only some directories. Use with caution. display_errors Should be off in production. error_reporting Should always include at least E_ERRORS. See the official documentation.

This directives can be set in the global "php.ini" file. If Apache has AllowOverride Options, then ".htaccess" can be used.

[apache]
# .htaccess file
php_flag display_errors off
php_value error_reporting -1

One can also use php_admin_flag and php_admin_flag to set config parameters that can't be changed dynamically with ".htaccess" or ini_set(). Here is an example in an Apache config file.

[apache]
# Apache config file
<Directory "/var/www/myapp">
php_admin_value open_basedir /var/www/myapp/:/tmp/
</Directory>







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users