Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

move media & index.php to www #363

Open
wants to merge 6 commits into
base: devel
Choose a base branch
from

Conversation

tenzap
Copy link
Collaborator

@tenzap tenzap commented Mar 1, 2022

So that only the necessary files are reachable from HTTP server (index.php and media)
See: https://github.com/kalkun-sms/Kalkun/wiki/Making-Kalkun-more-secure

Advantage: Increases security

Drawback:
One has to have control of the configuration of the http server to set the root of the server to www dir

@tenzap tenzap changed the title move application & index.php to www move media & index.php to www Mar 1, 2022
@tenzap
Copy link
Collaborator Author

tenzap commented Mar 1, 2022

@kingster I can't figure out how to fix that phpunit error. Could you have a look please?

@kingster
Copy link
Collaborator

kingster commented Mar 3, 2022

Instead of doing this in the codebase, this could be done as part of the packaging step maybe? I reason I say is for a usecase in which a user want to host kalkun at a subdirectory instead of a top-level directory (In that case making this changes might not make sense in source repo)

@tenzap
Copy link
Collaborator Author

tenzap commented Mar 3, 2022

Instead of doing this in the codebase, this could be done as part of the packaging step maybe?

That's already done in the Debian packages.

I reason I say is for a usecase in which a user want to host kalkun at a subdirectory instead of a top-level directory (In that case making this changes might not make sense in source repo)

What do you mean by subdirectory instead of a top-level directory? Could you give an example?

What concerns me, is that the files that are at the root of the dir (CREDITS, Readme, the scripts dir...) are all accessible from the webserver which I think is not good practice and may be a security risk. It would be better to have the files that should be accessible in www only.

If the user has the root of the server to ~/kalkun/ for example then he would have to go to www if he's not able to configure the server to go to point to ~/kalkun/www. But I don't see in which case one can be in this scenario if it is self hosted

If not selfhosted, where one has no access to server config, but still has mysql or another DB... I don't know. Do such setups still exist nowadays?

@kingster
Copy link
Collaborator

kingster commented Mar 3, 2022

What do you mean by subdirectory instead of a top-level directory? Could you give an example?

I meant that user wants it at http://host.name/kalkun and not at http://host.name/

What concerns me, is that the files that are at the root of the dir (CREDITS, Readme, the scripts dir...) are all accessible from the webserver which I think is not good practice and may be a security risk. It would be better to have the files that should be accessible in www only.

Users should never unpack a git repo in the www directory. They should instead use the dist.zip or .deb to install which doesn't include these files.

If not selfhosted, where one has no access to server config, but still has mysql or another DB... I don't know. Do such setups still exist nowadays?

Well these still do, its called shared hosting. On these hosting a user won't be able to host gammu as they won't have physical access. But if in future when we support both incoming/outgoing (today only outgoing is supported) with online service providers, then these shared hosting can be used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants