Moodle Security Check - File Permissions

farmerjo

Hi,
Running the "Reports / Security Checks" on the Cloudron Moodle app shows the following:

Error Check all public / private paths
^..* files should not be public
composer.json files should not be public
.lock files should not be public
environment.xml files should not be public
Directory index should not be enabled (Returned a 403, ideally should be 404)
db/install.xml files should not be public
readme.txt files should not be public
README files should not be public
/upgrade.txt files should not be public
phpunit.xml files should not be public
/fixtures/ files should not be public
/behat/ files should not be public

Could you please update the install script to address there?

nebulon

@farmerjo thanks for the heads up! For existing installations, add a file at /app/data/.htaccess with the following content:

# https://docs.moodle.org/311/en/Apache#Installing_Apache

AcceptPathInfo On

ErrorDocument 404 /error/index.php

# This sends any 403 from apache through to the same page, but also
# overrides the http status with 404 instead for better security.
ErrorDocument 403 /error/index.php?code=404

RewriteEngine On

RewriteRule "(\/vendor\/)" - [F]
RewriteRule "(\/node_modules\/)" - [F]
RewriteRule "(^|/)\.(?!well-known\/)" - [F]
RewriteRule "(composer\.json)" - [F]
RewriteRule "(\.lock)" - [F]
RewriteRule "(\/environment.xml)" - [F]
# Options -Indexes
RewriteRule "(\/install.xml)" - [F]
RewriteRule "(\/README)" - [F]
RewriteRule "(\/readme)" - [F]
RewriteRule "(\/moodle_readme)" - [F]
RewriteRule "(\/upgrade\.txt)" - [F]
RewriteRule "(phpunit\.xml\.dist)" - [F]
RewriteRule "(\/tests\/behat\/)" - [F]
RewriteRule "(\/fixtures\/)" - [F]

We wil provide a new package which will have that by default.

girish

I have pushed a new package.