This paragraph discusses the points to check for a secure installaton. However, it is impossible to describe all possibilities and their exceptions. Do not hesitate to ask help from a local Linux group or ask for support.
All program files of Website@School are installed in the so called CMS Root Folder. The CMS Root Folder is often the same as the webserver Document Root. However, it is also possible to use a subdirectory of the webserver Document Root instead.
Furthermore, for a good installation a separate Data Directory is necessary. After installation is complete, this Data Directory will contain the CMS Data Folder.
3.1 Program files and configuration file
After a successful installation, the CMS Root Folder, i.e. the webserver Document Root, or the self chosen subdirectory, should contain the following files and directory. Observe permissions and ownership:
-rw-r--r-- 1 root root 2210 Feb 1 14:00 admin.php
-rw-r--r-- 1 root root 7827 Feb 1 14:00 config-example.php
-r-------- 1 www root 754 Feb 1 11:10 config.php
-rw-r--r-- 1 root root 2204 Feb 1 14:00 cron.php
-rw-r--r-- 1 root root 2653 Feb 1 14:00 file.php
-rw-r--r-- 1 root root 2675 Feb 1 14:00 index.php
drwxr-xr-x 1 root root 824 Feb 2 10:11 program
|
The CMS Program Folder program/ contains dozens of files and subdirectories. Together these form the Website@School program.
Finally, there is the configuration file config.php.
This file (which is created by the Install Wizard) must be placed in the same directory as the other files, i.e. in the CMS Root Folder.
It is sufficient for the webserver (Apache) to only have read permissions on all these program files and subdirectories. This also applies to the configuration file config.php.
Security wise it is best to make sure that the webserver (Apache) has no write permissions on these program files and (sub) directories. This also applies tot the configuration file config.php.
For additional security and protection of the data in config.php it makes sense to limit the permissions on that file even further.
On a Linux server it speaks for itself to set these read- and write permissions as follows:
- All files, with the exception of config.php, get permissions 0644 and are owned by user root and group root.
- Al directories get permissions 0755 and are owned by user root and group root.
- The file config.php gets permissions 0400 and becomes owned by user www and group root.
NOTICE 1:
It is also possible to give the files (except config.php) permissions 0444 and the directories permissions 0555, but this adds factually little when the files are owned by user root, because anyhow user root has all permissions, also write permissions, on any file.
NOTICE 2:
In this example user www is used as the account under which the webserver (Apache) is running. Depending on the specific system, this can also be the user apache or nobody. Please consult the documentation and/or configuration of the webserver.
NOTICE 3:
The file config.php is a case on its own. This file contains the database password. For that reason it is good to only and exclusively give the webserver (Apache) read permissions on this file and no other user or group.
NOTICE 4:
If it is not possible to make the files (except config.php) and directories owned by user root and group root, then it is also possible to choose another user and group, as long as it is not the webserver user and group for that purpose. Permissions 0644 or 0755 are usable.
3.2 Data files
For a fully functional Website@School, also storage space is needed, preferably outside the websrervers Document Root.
During the installation in step 2.5 Website you have entered a path, for example /home/httpd/wasdata.
For security reasons the installer creates a subdirectory inside this directory: This we call the CMS Data Folder. The full path of the CMS Data Folder is the Data Directory path followed by a difficult to guess directory name of 32 letters and digits, for example:
/home/httpd/wasdata/b27b7d81c0ea26c4885784564bda2e11.
It is necessary that, during the installation, the webserver (Apache)
has read-, write- and execute permissions in the Data Directory (for example wasdata), in order to create the CMS Data Root.
After finishing the installation the write permissions can be minimised, as long the read and search permissions for the webserver remain.
3.2.1 Outside the document root
Concerning security it is strongly advised that the CMS Data Folder is located outside the webserver Document Root.
Example 1:
On the Linux server /home/httpd/htdocs is the webserver Document Root. In that case a secure choice for the Data Directory is /home/httpd/wasdata. This results in:
- Data Directory: /home/httpd/wasdata
- CMS Data Folder: /home/httpd/wasdata/fa0aff7743cd61f2afb473ca528fd431
During the installation, the Data Directory must have permissions 0700 with user www and group root. After finishing the installation, it is sufficient to set the permissions of this directory to 0500 with user www and group root.
Example 2:
On a Linux server /var/www is the webserver Document Root. The Data Directory could be located in /var/wasdata. This results in:
- Data Directory: /var/wasdata
- CMS Data Folder: /var/wasdata/fa0aff7743cd61f2afb473ca528fd431
During the installation, this Data Directory should have sufficient file access permissions, e.g. by -- temporarily -- elevating permissionss to 0777, with user wblade and group users. After finishing the installation, it is sufficient to set the permissions of this directory to 0555 with user wblade and group users.
User wblade is Wilhelmina Bladergroen, the systems administrator of the Exemplum Primary School. For explanation on this user and the school see the ServerAtSchool documentation at
http://serveratschool.net/doc/manual/overview.html#h2
NOTICE:
The permissions and ownership of the underlying directories created by the Installation Wizard, must remain as they are. Here is an example:
drwx------ 3 www www 240 Feb 6 13:53 fa0aff7743cd61f2afb473ca528fd431
|
3.2.2 Inside the document root
Concerning security it is strongly advised to have the CMS Data Folder located outside the Document Root.
If, for some reason or another, this is not possible, then choose a difficult and long directory name to make it difficult for a third party to find this directory by 'guessing'. After all, all documents are in pinciple direcly accessible, provided the name of the document is known.
Example 1:
On a Linux server /home/httpd/htdocs is the webservers Document Root. If the Data Directory and hence the CMS Data Folder is to stay in there, then
b27b7d81c9ea26q4885734564qda2e12 looks like a good, difficult to guess subdirectory name. This results in:
- Data Directory/home/httpd/htdocs/b27b7d81c9ea26q4885734564qda2e12
- CMS Data Folder: /home/httpd/htdocs/b27b7d81c9ea26q4885734564qda2e12/fa0aff7743cd61f2afb473ca528fd431
The permissions of the Data Directory during the installation are 0700 with user www and group root. After the installation permissions 0500 with user www and group root are enough.
Example 2:
On a Linux server /var/www is the webservers Document
Root. If the Data Directory and hence the CMS Data Folder is to stay in there, then b27b7d81c9ea26q4885734564qda2e12 looks like a good, difficult to guess directory name. This results in:
- Data Directory: /var/www/b27b7d81c9ea26q4885734564qda2e12
- CMS Data Folder: /var/www/b27b7d81c9ea26q4885734564qda2e12/fa0aff7743cd61f2afb473ca528fd431
During the installation, the Data Directory has --temporarily-- permissions 0777 with user wblade and group users. After the installation it is sufficient to set back the permissions of this directory to 0555 with user wblade and group users.
User wblade is Wilhelmina Bladergroen, the systems administrator on the Exemplum Primary School. For explanation on this user and the school see the ServerAtSchool Documentation at
http://serveratschool.net/doc/manual/overview.html#h2
NOTICE:
The permissions and ownership of the underlying directories created by the installation wizard, must remain as they are.
This manual is not a study book on server security. For safety contact your systems administrator or ISP (Internet Service Provider) for a possibly even tighter installation or contact the Website@School support at support@websiteatschool.eu.
NOTICE:
Before making use of your installation, please also read the next section to check some of the configuration items that affect security.
(top)
When you have successfully completed the previous section, please also check the following items that either affect the security of your installation or prevent problems. All items are described in the Configuration Manager, paragraph 5. Site.
4.1 Virus scanning
On a school server with so many users able to upload files from anywhere, scanning for viruses is a must. In the procedure below we describe how to check if virus scanning is indeed functioning.
First check at [ ] Scan files for viruses on upload, the box is checked. Then perform the following test to verify the correct operation of the virus scanner by creating a special 'test virus'. There is a standard test, developed explicitly for testing antivirus programs. It was developed by the European Institute for Computer Anti-Virus Research (EICAR). You can easily create this test using any text editor. The test file consists of 68 plain ASCII characters as shown below. Note that the 3rd character is a capital 'O' and not the digit '0'.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Now store these 68 characters in a file. Do not name it EICAR.COM, as suggested by the Institute, because by default .com is a not allowed file extension in Website@School. Maliciously name it image.png, so it will be accepted, and upload it to your My Files location. The virus should be detected and an error message must be generated like:
![[ virus ]](install/install_after_install_virus.png)
install_after_install_virus.png
If the virusscanner is properly installed and found during installation, but it is for some reason not working during the upload, a message like the following is displayed. Notice 'Error 2'.
Filename(1): Error 2 while scanning for viruses, file 'other_image.bmp'
Files added: 0, files ignored: 1
.
More information on EICAR.COM can be found on the EICAR web
site at http://www.eicar.org/anti_virus_test_file.htm.
Note that this EICAR.COM file in itself is a valid but harmless
DOS program. When executed (in a DOS box), it simply displays the text
'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!', nothing more.
This sub paragraph on testing with a virus is gracefully copied and slightly adapted from http://serveratschool.net/doc/, the ServerAtSchool Documentation, where the installation of a secure school server is discussed.
In every installation of Website@School the session name is the same. A bit of extra security can be added by changing the session name WASSESSION to something else. After changing, log out and in again.
Easy to change after the installation, however when this change is done some time in the future, it might give you a lot of work. Please read about this item in the Configuration Manager, paragraph 3. Site
(top)
Below the most common errors during the installation procedure are discussed.
When the installation is cancelled, it is because the Website@School installer found an already existing config.php configuration file. This is a security feature that prevents overwriting an existing configuration file. Check if the file exists. If this is the case, either delete or rename it. You cannot accidently overwrite an existing config.php file while doing a new installation of Website@School, even when the file permissions would allow it.
Click [OK] to return to the language selection. It is possible to download the config.php file. See paragraph 2.10 Download configuratoin file.
When you have created the data directory with the wrong ownership (for example root.root), you can get an error message like:
Error: Data directory: directory can not be created: /home/httpd/htdocs/wasdata/6a69137e2689c8f91873e0634ca46bda.
You get the same type of errors when the file permissions are too low (for example 000 or 600). Here is an example of minimal permissions and ownership:
drwx------ 2 www www 48 Feb 3 16:49 wasdata
|
The installer can be unable to write [1] the configuration file config.php because the directory is write protected. In that case, you have the possibility to download config.php and save it on your computer. Then copy it to the location you choose to put the program in. This feature could be seen as a security measure.
[1] For example when Website@Schools CMS Root Folder has permissions like:
dr-x------ 3 www www 240 Oct 21 13:53 htdocs
|
It is impossible to write in the directory.
(top)
Your Website@School is ready for use. Please take the Guided Tour to have a quick introduction to some (but not all) features of Webiste@School.
(top)
Author: Dirk Schouten <schoutdi (at) knoware (dot)
Last updated: 2011-07-11
icon.
![[ start installation select language ]](install/install_language.png)
![[ installation type ]](install/install_installation_type.png)
![[ license top ]](install/install_license_top.png)
![[ license bottom ]](install/install_license_bottom.png)
![[ database ]](install/install_database.png)
![[ website top ]](install/install_website_top.png)
![[ website bottom ]](install/install_website_bottom.png)
![[ user account ]](install/install_user_account.png)
![[ compatibility ]](install/install_compatibility.png)
![[ confirmation top ]](install/install_confirmation_top.png)
![[ confirmation bottom ]](install/install_confirmation_bottom.png)
![[ finish ]](install/install_finish.png)
![[ login ]](install/install_login.png)
![[ finish with download ]](install/install_finish_download.png)
![[ finish with download save ]](install/install_finish_download_save.png)