able to move the elgg files outside the public folder

Currently all files required by elgg are stored under one root folder (e.g. public/elgg, where "public" is a www root folder for apache.)

This is not secure.

A better solution is to move all the files to a non-public folder, only the index.php and resources files (css/js/images) are stored in the public folder.

I think a global constant in the index.php specifying the path of the elgg files (e.g. PATH_ELGG="/home/private/elgg/"; ) can do this trick. This also includes a series change of the include() statements. Currently the include() in elgg is using the dirname(__FILE__) to determine the path, after the PATH_ELGG constant is created, the include() needs to be changed like include(PATH_ELGG . '/somepath');

This is my only wish for elgg's development so far.

  • If the web server can write to the public web directory - regardless of whether you have one file there or a thousand, then there is a security hole. Moving most of the files out does not change this fact. It only means you have fewer file/directory permissions to keep track of.

    The reality right now is that Elgg has 2 user classes:

    1. people who want to download Elgg, ftp to their server, and run (ala Wordpress)
    2. developers used to frameworks who would know how to configure an application laid out as you described

    The best solution is one that provides the flexibility to support both classes of users.

  • @cash

    Yeah, leaving only those public-accessible files in the public folder is just one of hundreds of web security measurements. It can prevent potential direct access of elgg files which are not intented to be directly accessed, and easier to maintain the permissions as you mentioned (any upgrade of Elgg may bring new files that requires a check to file permissions carefully).

     

    To fit the two user classes, I think a default value for PATH_ELGG will do the trick. e.g.: add this to index.php:

    define('PATH_ELGG', dirname(__FILE__));

    for user class 1, this is totally transparent to them.

    for user class 2, they can change dirname() to whatever they want.

Feedback and Planning

Feedback and Planning

Discussions about the past, present, and future of Elgg and this community site.