Actions

Installation security hints/de: Difference between revisions

From LimeSurvey Manual

(Created page with "<div class="simplebox">Datei:help.png '''Hinweis:'' * Je nach Webserver-Konfiguration müssen Sie mit denm Befehl chmod die Rechte für beschreibbare Ordner auf 755 oder 7...")
(Updating to match new version of source page)
(19 intermediate revisions by 2 users not shown)
Line 4: Line 4:
==Generelles==
==Generelles==


LimeSurvey hat ein eigenes Sicherheitssystem eingebaut, welches standardmä&szlig;ig aktiviert ist. Das LimeSurvey-Projekt übernimmt keine wie immer gearteten Forderungen, Haftungen, Ansprüche etc., welche sich aus ihrem Einsatz mit LimeSurvey ergeben, natürlich auch jenen, welche auf mangelnde Sicherheitsvorkehrungen ihrerseits beruhen. Kurz: gehen sie davon aus, dass LimeSurvey als unsicher gilt, solange sie nicht selber für entsprechende Sicherheitsvorkehrungen sorgen. Trotzdem nehmen wir Sicherheitsprobleme sehr ernst und reagieren schnell - wenn Sie also von einem Sicherheitsproblem mit LimeSurvey Kenntnis haben, so lassen Sie uns dies bitte wissen: info@limesurvey.org oder erstellen Sie einen Fehlerreport in unserem [http://bugs.limesurvey.org Bug Tracker] (markieren Sie diesen bitte als 'private').
LimeSurvey relies on its own security, which is activated by default. The authors of this software take no responsibility and makes no claims regarding the appropriateness or security level of this software. However, we take security issues very seriously and react quickly. Therefore, if you know of any security problems within LimeSurvey, please let us know either by sending us an email to [mailto:info@limesurvey.org info@limesurvey.org] or by opening a bug report in our [http://bugs.limesurvey.org bug tracker] (please mark it as private).


==Dateirechte in Linux==
==Dateirechte in Linux==


Wenn sie einen Linux-Server verwenden, sollten Sie entsprechende Dateiberechtigungen setzen, damit Ihre Installation gesichert ist.
If you are using a Linux server, setting file permissions accordingly is required to secure your LimeSurey installation.


===Grundlegende Fakten über Linux/*nix Dateiberechtigungen===
===Grundlegende Fakten über Linux/*nix Dateiberechtigungen===
Line 14: Line 14:
Ein Linux/*nix System ist normalerweise ein Mehrbenutzersystem. Das bedeutet, dass abgesehen von Ihrem persönlichen Zugang noch andere Benutzerzugänge auf dem System bestehen könnten und daher sollten Sie darauf achten, welche Berechtigungen Sie diesen anderen Benutzern geben.
Ein Linux/*nix System ist normalerweise ein Mehrbenutzersystem. Das bedeutet, dass abgesehen von Ihrem persönlichen Zugang noch andere Benutzerzugänge auf dem System bestehen könnten und daher sollten Sie darauf achten, welche Berechtigungen Sie diesen anderen Benutzern geben.


<div class="simplebox">[[File:help.png]] '''Hinweis:''' Das Setzen von Dateiberechtigungen ist besonders wichtig bei Konfigurationsdateien, die normalerweise sensible Daten enthalten, wie z.B. Kennworte.</div>
<div class="simplebox">[[File:help.png]] '''Hint:''' setting file permissions is especially important in order to secure configuration files holding critical data such as passwords.</div>


"Sie sollten aber wissen, dass ein 'root' Zugang immer Zugriff auf Ihre Dateien hat (egal welche Berechtigungen Sie setzen), da diese der Super-Admin Benutzer ist."
'''Bear in mind that the 'root' account will always be granted permission to access your files (no matter what file permissions you set) as it is the super-admin user.'''


Der Webserver (auf dem LimeSurvey läuft) läuft normalerweise auch unter einem bestimmten Identität/User. Unter Linux ist dies üblicherweise der 'www','www-data' (auf Debian/Ubuntu), 'apache' oder 'nobody' User. Einige Webhoster nutzen eine System (wie z.B. suexec) welches es ermöglicht, LimeSurvey unter einem persönlichen Nutzer laufen zu lassen. Natürlich muss der Webserver User die Berechtigung zum Lesen der LimeSurvey Dateien haben. Aber nur eine begrenzte Anzahl an Unterverzeichnissen im LimeSurvey Verzeichnisbaum muss auch durch den Webserver-Benutzer beschreibbar sein.
The web server (which runs LimeSurvey) is also running under a given identity (user). On Linux, this is usually the 'www', 'www-data' (on Debian/Ubuntu), 'apache' or 'nobody' user. However, some hosting companies use systems (such as suexec) that make it possible to run LimeSurvey scripts with your personal user. Of course, the web server user must have the right to read LimeSurvey files. However, only a small subset of LimeSurvey sub-directories must be writable by the web server user.


<div class="simplebox">[[File:help.png]] '''Hinweis''': Es ist auf jeden Fall sinnvoll die Schreibrechte auf allen nicht benötigen Verzeichnissen zu entfernen. Selbst wenn eine LimeSurvey SIcherheitslücke entdeckt werden sollte, sind die Hauptdateien dank der Dateiberechtigungen dann immer noch vor Manipulationen geschützt.</div>
<div class="simplebox">[[File:help.png]] '''Hint''': it is very valuable to revoke write permission for the web server user to these LimeSurvey sub-directories that do not require it. Indeed, even if a LimeSurvey vulnerability might be discovered, the main files will still be protected from an illicit modification thanks to the file system permissions.</div>


===Setzen von Berechtigungen auf einem selbstverwalteten Linux-System===
===Setzen von Berechtigungen auf einem selbstverwalteten Linux-System===


If you're managing your webserver and operating system configuration (you are the owner of the physical server or are renting a virtual server on which you have root access), you can follow these recommendations.
If you're managing your web server and operating system configuration (you are the owner of the physical server or are renting a virtual server on which you have root access), you may consider the following recommendations from below.
*Für das LimeSurvey Stammverzeichnis (oder wie immer sie es benannt haben) - chmod 755 (lesen/ausführen - für die gesamte Welt)
*Für die Dateien im LimeSurvey Verzeichnis - chmod 755 (lesen/ausführen - für die gesamte Welt)
*Für das tmp Verzeichnis - chmod 755 - dieses Verzeichnis ist beim Erstellen leer und wird danach verwendet um Dateien hochzuladen, Grafiken, welche mit JPGraph erstellt wurden zu speichern, ebenso werden dort Dateien vom Vorlagen-Editor abgelegt.
* Für Dateien im admin Verzeichnis - chmod 755 (lesen/ausführen - für die gesamte Welt)


Die Standard-Dateien in diesem Verzeichnis benötigen keine Schreibrechte - de facto sollten sie auch keine bekommen, da bei normalen Gebrauch von LimeSurvey sie nie welche benötigen werden.
You can first set the owner and group of your LimeSurvey files so that it will ease the file permissions setup. A possible strategy is to set the owner of the LimeSurvey files to your personal username, and the group of the LimeSurvey files to the web server group. Usually, this web server group only contains the web server account (and possibly another webmaster account). For instance, if your username is 'myaccount' and the webserver user is 'apache' in the 'apache' group, then, from a shell access, you can use the following command: <code>$ chown -R myaccount:apache limesurvey/</code>. Subsequently, set the file and sub-directories permissions.


Eine mögliche Strategie ist es, den Besitzer der LimeSurvey-Dateien auf Ihre persönlichen Benutzernamen und die Gruppe der LimeSurvey-Dateien auf die Webserver-Gruppe zu setzen. Normalerweise enthält die Webserver-Gruppe nur das Webserver-Konto (und evtl. noch ein Webmaster-Konto).
For the script to work properly, the write access to some directories is needed:
*The /limesurvey/application/config directory requires ''Read & Write'' for saving the application configuration settings
*The /limesurvey/tmp directory and its sub-directories are used for imports/uploads and should be set to ''Read & Write'' for your web server
*The upload/directory and all its sub-directories must also have set ''Read & Write'' permissions in order to enable pictures and media files upload
* All other directories and files can be set to ''Read Only''


Zum Beispiel, wenn Sie Ihr Benutzername 'myaccount' ist und der Webserver-Benutzer ist 'apache' in der 'apache'-Gruppe, dann können Sie von einem Shell-Zugang folgenden Befehl verwenden:
<div class="simplebox">[[File:help.png]] '''Hint:''' supposing you've followed the recommendations above on owner/group, these settings can be applied by the following commands:


$ chown -R myaccount:apache limesurvey/
<code>$ chmod -R o-r-w-x limesurvey/</code>


Legen Sie dann die Datei- und Unterverzeichniss-Berechtigungen fest.
<code>$ chmod -R -w limesurvey/</code>


Damit das Skript funktioniert muss es Schreibzugriff auf einige Verzeichnisse haben:
<code>$ chmod -R 770 limesurvey/application/config</code>
*Das "/limesurvey/tmp" Verzeichnis und dessen Unterverzeichnisse sind für Importe/Uploads sollte auf "Lesen & Schreiben" für deinen Webserver gesetzt sein.
*Das upload/ Verzeichnis und alle Unterverzeichnisse müssen auch "Lesen & Schreiben" für Ihren Webserver gesetzt habe, um es zu ermöglichen Bild-und Mediendateien hoch zu laden.
*Alle anderen Verzeichnisse und Dateien können auf "Nur Lesen" gesetzt werden.


<div class="simplebox">[[Datei:help.png]] '''Hinweis:''' Angenommen, dass Sie die oben genannten Empfehlungen für Besitzer/Gruppe befolgt haben, können diese Einstellungen mit folgenden Befehlen angewendet werden:
<code>$ chmod -R 770 limesurvey/tmp</code>


$ chmod -R o-r-w-x limesurvey/
<code>$ chmod -R 770 limesurvey/upload</code>
 
$ chmod -R -w limesurvey/
 
$ chmod -R 770 limesurvey/tmp
 
$ chmod -R 770 limesurvey/upload


</div>
</div>


===Dateirechte mit Windows===
===Setting file permissions on a hosted web server===


Wenn sie einen Windows Webserver verwenden sollten sie sicherstellen, dass der Benutzer des Webserver-Prozess Schreibrechte auf das admin Verzeichnis hat. Für alle anderen Dateien genügen "nur Lesen" und "Ausführen"-Rechte.
Giving the difficulty of a standard procedure to secure a web application on a hosted environment, it is rather difficult because hosted environments differ in many ways.


As in the managed server case, for the script to work properly it needs write access to some directories:
In the managed server case, the server needs write access to some directories in order for the script to work properly:
*The "/limesurvey/tmp" directory is used for imports/uploads and should be set to ''Read & Write'' for your webserver.
*The /limesurvey/tmp directory is used for imports/uploads and should be set to ''Read & Write'' for your web server
*The upload/ directory and all its sub directories must also have ''Read & Write'' for your webserver in order to enable picture and media files upload.
*The upload/directory and all its sub-directories must also have ''Read & Write'' for your web server in order to enable pictures and media files upload
* The other directories and files should be set to ''Read Only''
* The other directories and files should be set to ''Read Only''


<div class="simplebox">[[Datei:help.png]] '''Hinweis:''
<div class="simplebox">[[File:help.png]] '''Hint:'''
* Je nach Webserver-Konfiguration müssen Sie mit denm Befehl chmod die Rechte für beschreibbare Ordner auf 755 oder 777 setzen, um diese für den Webserver beschreibbar zu machen. Versuchen 755 zuerst - wenn es nicht funktioniert 'aktualisiere' auf 777.
* Depending on your web server configuration, you will have to chmod the rights on the writable folders to 755 or 777 to make it writable for the web server. Try 755 first, if it does not work, 'upgrade' to 777
* Sie können auch versuchen, den Zugriff auf config.php für anderen zu beschränken, indem Sie diese Datei-Berechtigungen auf 750 setzen - wenn es nicht funktioniert 'aktualisiere' auf 755.</div>
* You can also try to remove other users' read access to config.php by setting this file's permissions to 750 - if it does not work, 'upgrade' to 755</div>


==Dateirechte in Windows==
==Dateirechte in Windows==


If you are using a windows server your should ensure that the admin folder allows the owner of the webserver process to write files to this directory, however all other files can be set to read-only and execute.
If you are using a Windows server, your should ensure that the admin folder allows the owner of the web server process to write files to this directory, The rest of the files can be set to read-only and execute.


===Weitere Sicherheitsvorkehrungen===
===Weitere Sicherheitsvorkehrungen===


Die Datei config.php beinhaltet den Benutzernamen und das dazugehörige Passwort für den Datenbankserver. Dieses zieht weitere Sicherheitsaspekte nach sich, insbesondere, wenn sie einen Benutzer mit weitreichenden Zugriffsrechten auf die Datenbank verwenden. Wenn sie das Risiko etwas minimieren möchten, empfiehlt es sich, einen eigenen Benutzer anzulegen, welche nur über die entsprechenden Rechte verfügt, welche für eine Verwendung von LimeSurvey von Nöten sind.
The following are recommendations only. LimeSurvey in general is very safe without these additional measures. If you however collect extremely sensitive data, a little additional security can help:
 
===SSL usage===
We generally recommend the usage of SSL for sensitive survey data. You usually enable SSL by configuring your web server correctly and using a SSQL certificate. If you have enabled SSL, you should enforce SSL all the time from the [[Global_settings|global settings]] of LimeSurvey. Additionally, you could only set to use 'secure' cookies by editing the [[Optional_settings|respective option]] in config.php.
 
=== The access to the config.php file ===
 
{{Alert| You must update application/config/'''config.php''' only after the first installation is done and it works.}}
 
The /application/config/config.php file contains a user name and password for your database server. This poses certain security issues, particularly if you are using a login that has high level administrative access to your database. In the event of some error returning the content of this PHP file to a user's browser, your database password and other details could be compromised (however, this is a very unlikely scenario). The best way to minimize risk is to set up a specific login that has specific rights only to your LimeSurvey database.


Der beste Weg wäre es, wenn sie die Datei config.php in einem nicht dem Webserver zugeordneten Verzeichnis ablegen. Für Apache-Benutzer bedeutet dies, dass sie die config.php in einem Verzeichnis oberhalb der htdocs-Order ablegen. Von Seiten der Entwickler wurde diese Vorgehensweise zwar noch nicht getestet, aber es spricht von Skript-Seite nichts dagegen, wieso eine solche Einstellung nicht machbar sein sollte. Sie müssen in diesem Fall nur all jene PHP-Dateien des Skripts modifizieren, welche (meist am Dateianfang) die Befehlszeile `include ("config.php");` beinhalten und diese so abändern, dass diese  auf den vollständigen Pfad zu ihrer config.php zeigt, zum Beispiel: `include("c:/Programme/apache group/apache/phpsafe/config.php");` Wie gesagt, dies wurde noch nicht getestet, wenn sie es versuchen, teilen sie uns bitte ihre Erfahrungen hierzu im Forum oder Bugtracker mit. Für zukünftige Versionen wird vielleicht noch ein einfacherer Weg gefunden.
Another way to secure this information can be to put the information from the /application/config/config.php file in a non-web directory, i.e. for Apache users this is the directory above the htdocs (also known as public_html or www) folder. Basically, you will use config.php, but have one line in it - a line that includes the file with ACTUAL configuration information (ex: <code><?php return include("/home/hostfolder/safedata/configreal.php"); ?></code>). Remove all actual configuration information from /application/config/config.php and paste it into the other file (configreal.php) that is mentioned in the /application/config/'''config.php''' file. This other file should be located in a non-web directory. Then, /application/config/config.php will not contain database passwords etc. - just the name of the file that '''DOES''' contain the database info.  


Another way to secure this information can be to put the certain information from the /application/config/config.php file in a non-web directory, i.e. for Apache users this is the directory above the htdocs (aka public_html or www) folder. So you will use config.php, but have one line in it - a line that includes the file with ACTUAL configuration information (ex: <?php return include("/home/hostfolder/safedata/configreal.php"); ?>). Remove all actual configuration information from /application/config/config.php, and paste it into the other file (configreal.php) that is included by /application/config/config.php. This other file should be located in a non-Web directory. Then /application/config/config.php will not contain database passwords, etc. - just the name of the file that DOES contain the database info. This avoids having to change all the other files that include /application/config/config.php, since they can still include it, and it will include the real config information. However you will need to edit configreal.php and change the follow parameters
This avoids having to change all the other files that include /application/config/config.php, since config.php 're-directs them' towards the configuration file that is located in a non-web directory which includes all the real configuration information. However, you will need to edit configreal.php and change the follow parameters to use absolute directory paths to work properly:


<syntaxhighlight lang="php" enclose="div">
<syntaxhighlight lang="php" enclose="div">
Line 95: Line 95:
</syntaxhighlight>
</syntaxhighlight>


to use absolute directory paths to work properly. Example:
Example:


<syntaxhighlight lang="php" enclose="div">
<syntaxhighlight lang="php" enclose="div">
Line 109: Line 109:
</syntaxhighlight>
</syntaxhighlight>


Also don't use "admin" as the default user. Go to your MySQL database (or other one if you installed LimeSurvey on different database) and change default user name "admin" to whatever you prefer (e.g. "admin_xyz"). It will be now much harder to guess administrator's new user name. Remember, this is one of the two variables intruders can use to gain access. The admin password is the other variable. So choose it with extreme care.
Also, '''don't use "admin" as the default user'''. Go to your MySQL database (or the one in which you installed LimeSurvey) and change default user name "admin" to whatever you prefer (e.g. "admin_xyz"). It will now be much harder to guess the administrator's new user name. Remember, this is one of the two variables intruders can use to gain access. The admin password is the other variable. So choose both of them with extreme caution.

Revision as of 13:30, 19 October 2017

Other languages:

Generelles

LimeSurvey relies on its own security, which is activated by default. The authors of this software take no responsibility and makes no claims regarding the appropriateness or security level of this software. However, we take security issues very seriously and react quickly. Therefore, if you know of any security problems within LimeSurvey, please let us know either by sending us an email to info@limesurvey.org or by opening a bug report in our bug tracker (please mark it as private).

Dateirechte in Linux

If you are using a Linux server, setting file permissions accordingly is required to secure your LimeSurey installation.

Grundlegende Fakten über Linux/*nix Dateiberechtigungen

Ein Linux/*nix System ist normalerweise ein Mehrbenutzersystem. Das bedeutet, dass abgesehen von Ihrem persönlichen Zugang noch andere Benutzerzugänge auf dem System bestehen könnten und daher sollten Sie darauf achten, welche Berechtigungen Sie diesen anderen Benutzern geben.

Hint: setting file permissions is especially important in order to secure configuration files holding critical data such as passwords.

Bear in mind that the 'root' account will always be granted permission to access your files (no matter what file permissions you set) as it is the super-admin user.

The web server (which runs LimeSurvey) is also running under a given identity (user). On Linux, this is usually the 'www', 'www-data' (on Debian/Ubuntu), 'apache' or 'nobody' user. However, some hosting companies use systems (such as suexec) that make it possible to run LimeSurvey scripts with your personal user. Of course, the web server user must have the right to read LimeSurvey files. However, only a small subset of LimeSurvey sub-directories must be writable by the web server user.

Hint: it is very valuable to revoke write permission for the web server user to these LimeSurvey sub-directories that do not require it. Indeed, even if a LimeSurvey vulnerability might be discovered, the main files will still be protected from an illicit modification thanks to the file system permissions.

Setzen von Berechtigungen auf einem selbstverwalteten Linux-System

If you're managing your web server and operating system configuration (you are the owner of the physical server or are renting a virtual server on which you have root access), you may consider the following recommendations from below.

You can first set the owner and group of your LimeSurvey files so that it will ease the file permissions setup. A possible strategy is to set the owner of the LimeSurvey files to your personal username, and the group of the LimeSurvey files to the web server group. Usually, this web server group only contains the web server account (and possibly another webmaster account). For instance, if your username is 'myaccount' and the webserver user is 'apache' in the 'apache' group, then, from a shell access, you can use the following command: $ chown -R myaccount:apache limesurvey/. Subsequently, set the file and sub-directories permissions.

For the script to work properly, the write access to some directories is needed:

  • The /limesurvey/application/config directory requires Read & Write for saving the application configuration settings
  • The /limesurvey/tmp directory and its sub-directories are used for imports/uploads and should be set to Read & Write for your web server
  • The upload/directory and all its sub-directories must also have set Read & Write permissions in order to enable pictures and media files upload
  • All other directories and files can be set to Read Only
Hint: supposing you've followed the recommendations above on owner/group, these settings can be applied by the following commands:

$ chmod -R o-r-w-x limesurvey/

$ chmod -R -w limesurvey/

$ chmod -R 770 limesurvey/application/config

$ chmod -R 770 limesurvey/tmp

$ chmod -R 770 limesurvey/upload

Setting file permissions on a hosted web server

Giving the difficulty of a standard procedure to secure a web application on a hosted environment, it is rather difficult because hosted environments differ in many ways.

In the managed server case, the server needs write access to some directories in order for the script to work properly:

  • The /limesurvey/tmp directory is used for imports/uploads and should be set to Read & Write for your web server
  • The upload/directory and all its sub-directories must also have Read & Write for your web server in order to enable pictures and media files upload
  • The other directories and files should be set to Read Only
Hint:
  • Depending on your web server configuration, you will have to chmod the rights on the writable folders to 755 or 777 to make it writable for the web server. Try 755 first, if it does not work, 'upgrade' to 777
  • You can also try to remove other users' read access to config.php by setting this file's permissions to 750 - if it does not work, 'upgrade' to 755

Dateirechte in Windows

If you are using a Windows server, your should ensure that the admin folder allows the owner of the web server process to write files to this directory, The rest of the files can be set to read-only and execute.

Weitere Sicherheitsvorkehrungen

The following are recommendations only. LimeSurvey in general is very safe without these additional measures. If you however collect extremely sensitive data, a little additional security can help:

SSL usage

We generally recommend the usage of SSL for sensitive survey data. You usually enable SSL by configuring your web server correctly and using a SSQL certificate. If you have enabled SSL, you should enforce SSL all the time from the global settings of LimeSurvey. Additionally, you could only set to use 'secure' cookies by editing the respective option in config.php.

The access to the config.php file

  You must update application/config/config.php only after the first installation is done and it works.


The /application/config/config.php file contains a user name and password for your database server. This poses certain security issues, particularly if you are using a login that has high level administrative access to your database. In the event of some error returning the content of this PHP file to a user's browser, your database password and other details could be compromised (however, this is a very unlikely scenario). The best way to minimize risk is to set up a specific login that has specific rights only to your LimeSurvey database.

Another way to secure this information can be to put the information from the /application/config/config.php file in a non-web directory, i.e. for Apache users this is the directory above the htdocs (also known as public_html or www) folder. Basically, you will use config.php, but have one line in it - a line that includes the file with ACTUAL configuration information (ex: <?php return include("/home/hostfolder/safedata/configreal.php"); ?>). Remove all actual configuration information from /application/config/config.php and paste it into the other file (configreal.php) that is mentioned in the /application/config/config.php file. This other file should be located in a non-web directory. Then, /application/config/config.php will not contain database passwords etc. - just the name of the file that DOES contain the database info.

This avoids having to change all the other files that include /application/config/config.php, since config.php 're-directs them' towards the configuration file that is located in a non-web directory which includes all the real configuration information. However, you will need to edit configreal.php and change the follow parameters to use absolute directory paths to work properly: 

'basePath' => dirname(dirname('''FILE''')),
'runtimePath' => dirname(dirname(dirname('''FILE'''))).DIRECTORY_SEPARATOR.'tmp'.DIRECTORY_SEPARATOR.'runtime',
[...]

'urlManager' => array(
   [...]
   'rules' => require('routes.php'),
   [...]
);

Example: 

'basePath' => '/var/www/htdocs/limesurvey',
'runtimePath' => '/var/www/htdocs/limesurvey/tmp/runtime',
[...]

'urlManager' => array(
   [...]
   'rules' => require('/var/www/htdocs/limesurvey/config/routes.php'),
   [...]
);

Also, don't use "admin" as the default user. Go to your MySQL database (or the one in which you installed LimeSurvey) and change default user name "admin" to whatever you prefer (e.g. "admin_xyz"). It will now be much harder to guess the administrator's new user name. Remember, this is one of the two variables intruders can use to gain access. The admin password is the other variable. So choose both of them with extreme caution.

Retrieved from "http://manual.limesurvey.org/index.php?title=Installation_security_hints/de&oldid=81756"