[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-cvs] CVS: phpwebhosting/doc INSTALL,NONE,1.1 README,NONE,1
From: |
Jason Wies <address@hidden> |
Subject: |
[Phpgroupware-cvs] CVS: phpwebhosting/doc INSTALL,NONE,1.1 README,NONE,1.1 |
Date: |
Sun, 24 Feb 2002 23:58:50 -0500 |
Update of /cvsroot/phpgroupware/phpwebhosting/doc
In directory subversions:/tmp/cvs-serv30388
Added Files:
INSTALL README
Log Message:
Initial commit
--- NEW FILE ---
INSTALL
-------
Command examples are suggestions only. Use your head.
COMMAND SUMMARY
---------------
cp -a /some/path/to/phpgroupware/files /path/to/files
cd /path/to/files
chown -R nobody .
-OR-
chmod -R 777 .
http://yourhost.com/setup/ > Setup/Config > Edit Current Configuration
"Enter the full path for users and group files" => /path/to/files
FULL EXPLANATION
----------------
[REQUIRED] Copy phpgroupware/files to where you want to store the files.
THIS SHOULD BE SOMEWHERE NOT INSIDE THE WEBROOT AND NOT ACCESSIBLE
TO THE WEB.
Having the files within the webroot is a huge security risk as well
as a privacy concern.
The exception to this would be if you WANT the users' and groups'
files to be accessible
from the web, such as when setting up public or semi-public web
page/document hosting. In
this case, the files directory can be left where it is.
(Make sure you copy the directory, don't just make a new one. The
necessary directories
are files/ and files/home/)
[REQUIRED] In http://yourhost.com/setup, login to Setup/Config, then Edit
Current Configuration. Enter the FULL path for the files directory you created
earlier in the second box from the top.
[REQUIRED] Change permissions for files directory and all it's subdirectories
to be writable by Apache
This is the files directory you created earlier and specified in
setup (Edit Current Configuration). Note that 'nobody' below could also be
'apache' on your system. Check the 'User' setting in your httpd.conf.
cd /path/to/files
chown -R nobody .
-OR-
chmod -R 777 .
SECURITY CONCERNS
-----------------
There are many security concerns related with allowing users to store files on
the server. The most common problem is that users can upload any type of file,
including CGI and PHP scripts. This in effect grants them local access to the
machine, and can be used to read database passwords and other sensitive files.
The ability to upload files of any type is not forbidden by phpwebhosting
because it is sometimes desired, and also the types of vulnerable files differ
from server to server. To combat this, you can add a simple entry to Apache's
httpd.conf to prevent certain types of files from being executed. Included
below is an example that results in .cgi, .pl, .php, .php3, and .phps files
being treated as normal text files. It also explicitly turns all Options off,
which includes turning Indexes (listing of files) off.
<Directory /path/to/files>
Options None
AllowOverride None
DirectoryIndex index.html
RemoveHandler cgi-script .cgi .pl
RemoveType application/x-httpd-php .php .php3
RemoveType application/x-httpd-php-source .phps
</Directory>
--- NEW FILE ---
Module: phpwebhosting
Author: Jason Wies <address@hidden>
Comments to: address@hidden, address@hidden
Description: The file manager for phpGroupWare. Abilities include all common
file actions (upload, mkdir, rename, delete, copy, move), creating and editing
text files, and syncing with the file system. Per file/directory comments are
stored, and version history is tracked. Group sharing and ACL are fully
supported.
NOTES
-----
phpwebhosting replaces filemanger. phpwebhosting should be used instead of
filemanager in all new installs.
phpwebhosting will be renamed after 0.9.14, at least in time for 0.9.16, but
perhaps much sooner. Most likely it will be renamed to 'filemanager', and the
current 'filemanager' removed completely.
phpwebhosting started as an independent (non-phpGroupWare) project, and there
continues to be a separate stand-alone distribution available at
http://phpwebhosting.sourceforge.net. This is also the origin of the name, as
the code was originally (and still can be) used for public webhosting.
For installation help, see the INSTALL file in this directory.
DEV NOTES
---------
index.php is depreciated by the inc/class.xxphpwebhosting.inc.php files.
index.php is still used in the 0.9.14 release, but all future changes should be
made to the inc/class.xxphpwebhosting.inc.php files (3-tiered). This includes
using templates.
See the docs in phpgwapi/doc/vfs for more information on interacting with the
VFS (Virtual File System).
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Phpgroupware-cvs] CVS: phpwebhosting/doc INSTALL,NONE,1.1 README,NONE,1.1,
Jason Wies <address@hidden> <=