Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Custom Data Directory Location?
#1
I was wondering if there was a way to define the data directory in a different location area of the site, or in its own independent folder? I was thinking about this in terms of security.
Reply
#2
Not really, Theoretically you could change the datadir definition in common.php, but i bet there is a hardcoded path somewhere that will break, also you can probably use a symblink but again not sure it that works either.

Ideally I would like all paths editable at some point, but it was not designed as such from the start.

Edit: yup i just did a cursory search and data/ is hardcoded all over the place.

One of my refactor goals is to fix all those, so we can at least start testing variable pathing and seeing what works.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#3
Sounds good. I look forward to hearing an update on this feature.

(2013-08-23, 07:19:08)shawn_a Wrote: Not really, Theoretically you could change the datadir definition in common.php, but i bet there is a hardcoded path somewhere that will break, also you can probably use a symblink but again not sure it that works either.

Ideally I would like all paths editable at some point, but it was not designed as such from the start.

Edit: yup i just did a cursory search and data/ is hardcoded all over the place.

One of my refactor goals is to fix all those, so we can at least start testing variable pathing and seeing what works.
Reply
#4
Many thanks Shawn!
Reply
#5
Damn it, this is what I was afraid of. Having the data folder web accessible is a security and hacking issue.

I tried to create a GSDATAPATH and move the data folder to a non web accessible location, but the requests for the directoy /data/ are located in many locations which is hard-coded using /data/ instead of a common GSDATAPATH or even GSROOTPATH.

I can certainly go and edit all of the core files but then that makes it a big issue when you need to do an update.

This makes using Get Simple CMS not possible as the site will be at to much risk of being hijacked.

Maybe a future update will allow us to move the data directory out of the public_html folder and to a non direct web accessible folder.

Cheers

GW
Reply
#6
(2013-11-07, 12:19:47)~GW~ Wrote: Maybe a future update will allow us to move the data directory out of the public_html folder and to a non direct web accessible folder.

Great idea!
Reply
#7
(2013-11-07, 12:19:47)~GW~ Wrote: Damn it, this is what I was afraid of. Having the data folder web accessible is a security and hacking issue....
...This makes using Get Simple CMS not possible as the site will be at to much risk of being hijacked.

@GW
Sometimes nutters appear on the forum making unsubstantiated claims of massive security holes. I take it you are not one of them, but you had better be a bit clearer about exactly what your insight is. I have seen websites hijacked and once I saw a GS website hijacked but it had nothing to do with how folders were arranged in the CMS.
Reply
#8
Well he is correct, you typically want to put any writable data outside of your webspace in a chroot jail.
This basically protects you against the chance that someone manages to find a hole to upload a shell, if it is not in the webroot there is much less of a chance of it being successfully executed over the web after infection.

This comes down to having "absolute security" in that you can never predict every vector of attack or future attacks, and that protecting your data folders with rules can never be 100% secure in theory, because you can not cover situations that do not exists yet or are unknown.

So the safest bet is the only way to have the best security.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#9
(2013-08-23, 07:19:08)shawn_a Wrote: Not really, Theoretically you could change the datadir definition in common.php, but i bet there is a hardcoded path somewhere that will break, also you can probably use a symblink but again not sure it that works either.

Ideally I would like all paths editable at some point, but it was not designed as such from the start.

Edit: yup i just did a cursory search and data/ is hardcoded all over the place.

One of my refactor goals is to fix all those, so we can at least start testing variable pathing and seeing what works.

What is the situation with this one? I would love to run this cms on GAE..
Reply
#10
3.4 will have better support for this.
https://github.com/GetSimpleCMS/GetSimpleCMS/issues/454
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply




Users browsing this thread: 1 Guest(s)