- Posts: 31
- Thank you received: 5
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
Setting runtimePath out of web access?
- mhladun
- Topic Author
- Offline
- Junior Member
Less
More
2 years 1 week ago - 2 years 1 week ago #227735
by mhladun
Setting runtimePath out of web access? was created by mhladun
Can someone help me understand this concept in relation to Limesurvey in a Linux (CentOS) environment?
The default runtimePath is ~/limesurvey/tmp/runtime with chmod -R 777 privileges (read and write by everyone). However, the config.php file comes with a comment recommending the default runtimePath should be changed
I have noticed that /assets/ and /uploads/ remain in ~/limesurvey/tmp/, but they have the same user permissions as the new ~/limesurvey/runtime/ folder.
It would be great if this could be utilized to hide the site's logs.
The default runtimePath is ~/limesurvey/tmp/runtime with chmod -R 777 privileges (read and write by everyone). However, the config.php file comes with a comment recommending the default runtimePath should be changed
What is the point of changing the runtimePath if the new runtimePath , for example ~/limesurvey/runtime, has the same chmod -R 777 privileges? What's the security benefit here?// For security issue : it's better to set runtimePath out of web access
// Directory must be readable and writable by the webuser
I have noticed that /assets/ and /uploads/ remain in ~/limesurvey/tmp/, but they have the same user permissions as the new ~/limesurvey/runtime/ folder.
It would be great if this could be utilized to hide the site's logs.
Last edit: 2 years 1 week ago by mhladun.
Please Log in to join the conversation.
- mhladun
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 31
- Thank you received: 5
2 years 1 week ago #227737
by mhladun
Replied by mhladun on topic Setting runtimePath out of web access?
I've thought about it a bit more and I might understand now. If the runtimePath is moved to somewhere the URL can't point to, the runtimePath files are inaccessible from the internet.
For example, if limesurvey's root dir is
, and the domain name
points to the root dir, then to get to get a log file from the default runtimePath, you visit
.
But if you move your runtimePath to
, this directory is inaccessible because navigating their using the URL (
) is not possible (../../ is not allowed in URLs and won't evaluate this parent path).
Is my understanding correct?
For example, if limesurvey's root dir is
Code:
/var/www/html/limesurvey/
Code:
https://mylimesurveysite.com/
Code:
https://mylimesurveysite.com/tmp/runtime/application.log
But if you move your runtimePath to
Code:
/var/limesurvey_runtime/
Code:
https://mylimesurveysite.com/../../../limesurvey_runtime/application.log
Is my understanding correct?
Please Log in to join the conversation.
- jelo
- Offline
- Platinum Member
Less
More
- Posts: 5033
- Thank you received: 1257
2 years 6 days ago #227766
by jelo
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Replied by jelo on topic Setting runtimePath out of web access?
The idea about moving folders out of the webroot is to prevent direct download/access when e.g. an issue (PHP interpreter fails, Webserver is not executing php or no longer preventing access) occurs.
You usually don't use 777 when it comes to webservers these days. It depends on how the webserver and the php-handler is configured. Under Apache+PHP-FPM LimeSurvey is mostly using 0775 for folders.
Only tmp/runtime/cache is set as 0777 (But that might work with 0755 as well). The cache files itself are 0666. /tmp/assets is containing folders with 0777 and files with 0666.
The rule of thumb is to stay away from 0777 as often as possible. If you don't know what your exact webserver/php setup is, try 0755 for folders and 0644 for files.
But the installer should normally know which item needs 0777 and 0666.
You usually don't use 777 when it comes to webservers these days. It depends on how the webserver and the php-handler is configured. Under Apache+PHP-FPM LimeSurvey is mostly using 0775 for folders.
Only tmp/runtime/cache is set as 0777 (But that might work with 0755 as well). The cache files itself are 0666. /tmp/assets is containing folders with 0777 and files with 0666.
The rule of thumb is to stay away from 0777 as often as possible. If you don't know what your exact webserver/php setup is, try 0755 for folders and 0644 for files.
But the installer should normally know which item needs 0777 and 0666.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The following user(s) said Thank You: mhladun
Please Log in to join the conversation.