server-status-project/server-status

Manual Database and configuration file creation

Closed this issue · 3 comments

diveyez commented

As I go through the steps of installation, I see that this requires access to write to the web directory as well as make tables. This is a major security flaw as making this possible on a publicly available server will cause the ability for anyone to execute php code/scripts within the directories given those permissions, that does not even mention the ability to make tables and likely, and entire clandestine database for spambots.

Can you please incorporate into your development the ability to make configurations manually and without the need for those levels of control. You can use wordpress as an example for this, it allows users to make a config and drop it in on their own. (I will help code if needed)
However, A+ code, is A+ code. I like this.

Get back to me about this ASAP because I cannot wait to hear and read what you have to say.

thnilsen commented

But I can't speak for what Prxy has in mind around this, but this is how I see it

Write access is only needed during installation to generate the config.php file. So once the system is up and running you can alter the access rights to read only.

The CREATE/ALTER table access right on mysql is also only required during installation Once it's set up you can revoke all but the normal SELECT, INSERT, UPDATE rights to the DB user, alternatively install with a high level DB user and modify config.php once completed to use a lesser DB user.

Prxy has made the system easy to install and use which I don't see as a big issue. The security minded will as with most software - including Wordpress - often require some manual work before or after the install is complete.

One option to improve on this could be to have a warning message displayed after the install is complete, or during login to the admin page to provide additional info on hardening of the install.

Pryx commented

@thnilsen is exactly correct - the permissions are only needed when installing, you can then make the folder RO and revoke DB user permissions or swap the credentials in config. Or do you think we need a better solution? @diveyez

yigitkeremoktay commented

We now moved settings to the database. As this update was added to the beta you can create the config manually by only entering db credidentals and executing install.sql file. We are closing this now but you may reopen if you have other concerns. Thanks!