data dir file permission 700 in public_html

hello, I have had trouble setting a data dir out of the main elgg dir but the data dir is set to 700 which should be secure..is that alright or should I try to chown a dir off the root...I would think 700 was secure from the public

  • @iionly I will agree with you if you give me at least one example of how my installation might be unsafe.
    As for the documentation, I assume that it's a case of simultaneous placement of files and data in one directory.
    Using nginx I fairly reliably allocated the access and read permissions. I've not an access to /var/www throught web even because:

    server {
        listen       80;
        server_name  localhost;
    
        location / {
            return 301 https://www.google.com;
        }
    }
  • I am not giving wrong advice..it is outside of the main directory..it was my server that wouldn't let me place it there but after reinstall of the server everything is fine. It wouldn't allow symlink either but that works now.

  • @Herb my request about not giving a wrong advice was directed to @RvR and not to you.

    @RvR Please inform yourself with other sources about what the "document root directory" of a webserver is if you don't believe me. The document root path is the "starting point" on the filesystem where an url call in the browser to the site domain lands. It happens to be the Elgg install/root folder only if you don't install Elgg in a subdirectory. Nevertheless, anything under the document root directory is open to the Internet even if you install Elgg in a subdirectory. That's important with regards to the location of the data directory of Elgg and as the install instructions clearly say "the data directory must be stored outside the document root directory" and explicitely NOT ONLY outside the Elgg install folder. So, your assumption is wrong that it would only refer to Elgg install folder and data directory being in the same directory. As I said: inform yourself about what the document root directory is.

    What does a data directory inside the document root directory mean? It means that a direct access to the files is possible bypassing any access limitations of Elgg. You can directly view/download a file (site.url/data_directory_name/path/to/file/filename). Is this file set to "private" on Elgg? It wouldn't matter. Is that what you can live with?

  • I don't see any problems with RVR's approach as long as the server is configured properly.

  • @iionly

    Nevertheless, anything under the document root directory is open to the Internet even if you install Elgg in a subdirectory.

    You're wrong. As I said above I closed this access

    What does a data directory inside the document root directory mean? It means that a direct access to the files is possible bypassing any access limitations of Elgg. You can directly view/download a file (site.url/data_directory_name/path/to/file/filename).

    No. You cann't. Try to do it.

     

  • @RvR Sorry. But I don't think the link you've given as example proves anything. It's a subdomain url already pointing to the Elgg install folder and not the url to the document root on your server which would have to be the starting point for testing. This url is of course invalid as you said the data directory is in parallel to the install folder and not inside it.

    The document root url would have to redirect me to google.com according to the example nginx config snippet you posted. What happens when directly calling a subdirectory or even a file inside a subdirectory is beyond my knowledge as I've no experience with nginx webserver. I have to admit that I missed this snippet before making my previous post. Nonetheless, it has been only in your 4th posting here that you mentioned that additional configuration steps are necessary to protect the data directory if it's placed inside the document root folder. Would you even have mentioned it if I wouldn't have started to object to your initial posting? And I'm not sure you even provided all the relevant code of the nginx config here that's necessary to protect your data directory from direct access as I'm missing the redirect to google that I expected to happen.

    I'm still holding to my opinion here. As mentioned in the install instructions it's advised to create the data directory outside the document root directory. Advising the opposite seems a bad advice to me if you also keep in mind that beginners might read your posting - especially if you don't mention in detail the complete server configuration necessary to secure the data directory. Why not keep it simple and stick to the info given in the docs. No harm done then if your server is lacking the additional config steps. And if you know what your are doing you can to it differently on your own on your own risk. But please don't give an advice that leaves out important details.