Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Moodle Security Check - File Permissions

    Moodle
    3
    3
    695
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      farmerjo last edited by

      Hi,
      Running the "Reports / Security Checks" on the Cloudron Moodle app shows the following:

      Error Check all public / private paths
      ^..* files should not be public
      composer.json files should not be public
      .lock files should not be public
      environment.xml files should not be public
      Directory index should not be enabled (Returned a 403, ideally should be 404)
      db/install.xml files should not be public
      readme.txt files should not be public
      README files should not be public
      /upgrade.txt files should not be public
      phpunit.xml files should not be public
      /fixtures/ files should not be public
      /behat/ files should not be public

      Could you please update the install script to address there?

      nebulon 1 Reply Last reply Reply Quote 1
      • nebulon
        nebulon Staff @farmerjo last edited by nebulon

        @farmerjo thanks for the heads up! For existing installations, add a file at /app/data/.htaccess with the following content:

        # https://docs.moodle.org/311/en/Apache#Installing_Apache
        
        AcceptPathInfo On
        
        ErrorDocument 404 /error/index.php
        
        # This sends any 403 from apache through to the same page, but also
        # overrides the http status with 404 instead for better security.
        ErrorDocument 403 /error/index.php?code=404
        
        RewriteEngine On
        
        RewriteRule "(\/vendor\/)" - [F]
        RewriteRule "(\/node_modules\/)" - [F]
        RewriteRule "(^|/)\.(?!well-known\/)" - [F]
        RewriteRule "(composer\.json)" - [F]
        RewriteRule "(\.lock)" - [F]
        RewriteRule "(\/environment.xml)" - [F]
        # Options -Indexes
        RewriteRule "(\/install.xml)" - [F]
        RewriteRule "(\/README)" - [F]
        RewriteRule "(\/readme)" - [F]
        RewriteRule "(\/moodle_readme)" - [F]
        RewriteRule "(\/upgrade\.txt)" - [F]
        RewriteRule "(phpunit\.xml\.dist)" - [F]
        RewriteRule "(\/tests\/behat\/)" - [F]
        RewriteRule "(\/fixtures\/)" - [F]
        

        We wil provide a new package which will have that by default.

        1 Reply Last reply Reply Quote 3
        • girish
          girish Staff last edited by

          I have pushed a new package.

          1 Reply Last reply Reply Quote 2
          • First post
            Last post
          Powered by NodeBB