data dir file permission 700 in public_html

hello, I have had trouble setting a data dir out of the main elgg dir but the data dir is set to 700 which should be secure..is that alright or should I try to chown a dir off the root...I would think 700 was secure from the public

  • As http://learn.elgg.org/en/stable/intro/install.html#create-a-data-folder says, the data folder within the document root directory (public_html or whatever it is named on your server) is insecure. The point is that file/directory permissions restrict the access from local access on the server but the acess permissions must allow the webserver to read/write the files in any case and the webserver will directly serve anything within the document root folder. So, the content of the data directory will not only be accessible to the users who have the sufficient access level (public, logged-in etc.) as handled by the Elgg engine if the data directory is outside the document root folder but anyone can access the content of the data directory directly if the data folder is within the document root folder.

    So, try to get the data directory working placed outside the document root folder as this is the only way to get proper access control. If you don't know how to get it working, you might want to ask the support of your webhoster for help (first choice) or ask for help here (second choice). If your webhoster doesn't allow to create directories outside the document root folder (e.g. on free hosting plans or with access restrictions set by the open_basedir php variable), you might need to host your site on another webhoster's server or change your hosting plan. But don't try the "cheap" way even if it seems easier for now and everything seems to work. It's just not recommended this way.

  • I am trying to find out how to get it to work on my server which is a hybrid nginx+appache and ii have tried various chmod shell attempts but to no avail. also it is my own vps server so there are no other users aside from myself.

  • It's not about local users. It's about remote visitors. Everything within the document root folder is public over the Internet.

    I've no experience with nginx. But I don't think the webserver used should matter with regards to where the data directory is created. It should work with Apache and nginx. And you don't provide the url but the absolute full path on the filesystem to the data directory during installation. You only need to make sure the webserver process (not running as root) can read/write/access the data folder you have created. So, either 777 permissions (no problem is OUTSIDE document root directory and no other local users on the server) or you can set it to 700 but change the owner and group of the data directory to be owner by the account used by the webserver process.

  • Let's imagine that your Elgg was installed in:

    /var/public_html/

    Then your data should be in this directory:

    /var/public_html/data

    And all Elgg files in:

    /var/public_html/elgg

    So your commands are:

    cd /var/public_html/
    
    chown www-data:www-data -R data
    
    chmod 770 -R data
  • @RvR That's absolutely WRONG!

    Data directory must NOT be in public_html (or whatever the document root folder is named) for security reasons. It's to be created OUTSIDE!

    So,

    /var/data or /home/<username>/data

    could be possibilities but absolutely NOT anywhere in /var/public_html. Period!

     

  • @iionly It's right IF you've installed Elgg in to public_html or www directory (I guess TC did it).

    For example, we've server's /var/www and ALL our projects are installed like as:

    /var/www/project1
    
    /var/www/project2
    
    /var/www/project3
    
    etc

    which included

    /var/www/project1/data
    
    /var/www/project1/elgg
    
    /var/www/project2/data
    
    /var/www/project2/elgg
    
    /var/www/project3/data/
    
    /var/www/project3/elgg
    
    etc
  • No. It's still wrong. The point is: the data directory must not be created within the document root directory or in any subdirectory below it, because this results in direct access of the content of the data directory over the Internet. If you have installed Elgg directly in the document root directory, the Elgg install directory and document root are the same (and that's why some people might wrongly assume that it's enough to create the data folder "outside the Elgg install directory"). But the point is: the data directory must be outside the document root directory regardless if you install Elgg directly in it or in a subdirectory within it.

    Just read http://learn.elgg.org/en/stable/intro/install.html#create-a-data-folder. It might not be clearly explained WHY you need to create the data folder outside document root. But it's clearly written there. And you can also test it on your own: if you know the path to a file within the data directory (and this data directory is inside the document root folder) you can access this file directly in the browser (site.url/path/to/file) even when logged out regardless of any access level set for this file.

  • @iionly :)  I don't want to argue that it's tested on many servers already.

    All our data folders "outside the Elgg install directory";

    /var/www/site1 -- this is 1st "startpoint"

    in there we've installed 1st elgg site:

    /var/www/site1/data -- data dir /var/www/site1/elgg -- elgg dir

    Same for others...

    When you talks about

    Just read http://learn.elgg.org/en/stable/intro/install.html#create-a-data-folder. It might not be clearly explained WHY you need to create the data folder outside document root.

    You can see that my/our installations are correspond it.. And this is not subfolders even.

    Otherwise, none of these sites would not work ;)

  • I got it set right now...it was my server messing up I had to reinstall the server and now everything is working fine on nginx.

  • @RvR If /var/www is the document root folder on the server (as I assume it is), then it's wrong to create the data folder in it (or in any subfolder within it). That's clearly stated in the docs also. The point isn't that the installation works as long as you create the data folder "outside the Elgg install directory" but that it's not secure to have the data directory inside the document root folder even if Elgg does not warn about it in all cases. If it works for you, fine. But please do not insist on given others a wrong (insecure) advice just because it works for you.