Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Setting runtimePath out of web access?

  • mhladun
  • mhladun's Avatar Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
1 year 11 months ago - 1 year 11 months ago #227735 by mhladun
Setting runtimePath out of web access? was created by mhladun
Can someone help me understand this concept in relation to Limesurvey in a Linux (CentOS) environment?

The default runtimePath is ~/limesurvey/tmp/runtime with chmod -R 777 privileges (read and write by everyone). However, the config.php file comes with a comment recommending the default runtimePath should be changed

// For security issue : it's better to set runtimePath out of web access
// Directory must be readable and writable by the webuser

What is the point of changing the runtimePath if the new runtimePath , for example ~/limesurvey/runtime, has the same chmod -R 777 privileges? What's the security benefit here?

I have noticed that /assets/ and /uploads/ remain in ~/limesurvey/tmp/, but they have the same user permissions as the new ~/limesurvey/runtime/ folder.

It would be great if this could be utilized to hide the site's logs.
Last edit: 1 year 11 months ago by mhladun.

Please Log in to join the conversation.

  • mhladun
  • mhladun's Avatar Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
1 year 11 months ago #227737 by mhladun
Replied by mhladun on topic Setting runtimePath out of web access?
I've thought about it a bit more and I might understand now. If the runtimePath is moved to somewhere the URL can't point to, the runtimePath files are inaccessible from the internet.

For example, if limesurvey's root dir is
Code:
/var/www/html/limesurvey/
, and the domain name
Code:
https://mylimesurveysite.com/
points to the root dir, then to get to get a log file from the default runtimePath, you visit 
Code:
https://mylimesurveysite.com/tmp/runtime/application.log
.

But if you move your runtimePath to 
Code:
/var/limesurvey_runtime/
, this directory is inaccessible because navigating their using the URL (
Code:
https://mylimesurveysite.com/../../../limesurvey_runtime/application.log
) is not possible (../../ is not allowed in URLs and won't evaluate this parent path).

Is my understanding correct?

Please Log in to join the conversation.

More
1 year 11 months ago #227766 by jelo
Replied by jelo on topic Setting runtimePath out of web access?
The idea about moving folders out of the webroot is to prevent direct download/access when e.g. an issue (PHP interpreter fails, Webserver is not executing php or no longer preventing access) occurs.

You usually don't use 777 when it comes to webservers these days. It depends on how the webserver and the php-handler is configured. Under Apache+PHP-FPM LimeSurvey is mostly using 0775 for folders.
Only tmp/runtime/cache is set as 0777 (But that might work with 0755 as well). The cache files itself are 0666. /tmp/assets is containing folders with 0777 and files with 0666.

The rule of thumb is to stay away from 0777 as often as possible. If you don't know what your exact webserver/php setup is, try 0755 for folders and 0644 for files.
But the installer should normally know which item needs 0777 and 0666.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The following user(s) said Thank You: mhladun

Please Log in to join the conversation.

Lime-years ahead

Online-surveys for every purse and purpose

Pricing & Plans
Get started

Legal

About Us

Open Source