SOLVED Moodle Security Check - File Permissions
-
Hi,
Running the "Reports / Security Checks" on the Cloudron Moodle app shows the following:Error Check all public / private paths
^..* files should not be public
composer.json files should not be public
.lock files should not be public
environment.xml files should not be public
Directory index should not be enabled (Returned a 403, ideally should be 404)
db/install.xml files should not be public
readme.txt files should not be public
README files should not be public
/upgrade.txt files should not be public
phpunit.xml files should not be public
/fixtures/ files should not be public
/behat/ files should not be publicCould you please update the install script to address there?
-
@farmerjo thanks for the heads up! For existing installations, add a file at
/app/data/.htaccesswith the following content:# https://docs.moodle.org/311/en/Apache#Installing_Apache AcceptPathInfo On ErrorDocument 404 /error/index.php # This sends any 403 from apache through to the same page, but also # overrides the http status with 404 instead for better security. ErrorDocument 403 /error/index.php?code=404 RewriteEngine On RewriteRule "(\/vendor\/)" - [F] RewriteRule "(\/node_modules\/)" - [F] RewriteRule "(^|/)\.(?!well-known\/)" - [F] RewriteRule "(composer\.json)" - [F] RewriteRule "(\.lock)" - [F] RewriteRule "(\/environment.xml)" - [F] # Options -Indexes RewriteRule "(\/install.xml)" - [F] RewriteRule "(\/README)" - [F] RewriteRule "(\/readme)" - [F] RewriteRule "(\/moodle_readme)" - [F] RewriteRule "(\/upgrade\.txt)" - [F] RewriteRule "(phpunit\.xml\.dist)" - [F] RewriteRule "(\/tests\/behat\/)" - [F] RewriteRule "(\/fixtures\/)" - [F]We wil provide a new package which will have that by default.
-
I have pushed a new package.
