I have been working in windows environment for producing & deploying django for internal use at work and been asked to add a feature to read files saved at the network drive (ideally, .xlsx file view). So, I would want to list .xlsx files in a specified folder in the network drive and let the user view the file if clicking on it.
My first approach was to create a user account with "Log on as a service" and "Act as part of the operating system," and run the Apache using this account. But, later realized I can't inherit the access to the network drive my admin account has (or is it possible?).
And, I decided to run it with my admin account, which I know is not a good idea to do in production, but wanted to see that I am on a right track... Tried below config but I am stuck at how to proceed from here to achieve the feature described above.. /l/ is an alias of the UNC of network drive.
<Directory /l/>
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
Allow from all
</Directory>
I tried SMB to try connecting but connection error has been returned (not even sure it is applicable in my case). Can anyone please at least guide me whether I am walking in the right direction..?
Related
I have an EC2 running in AWS. I have installed LAMP. everything works as expected.
Now if my IP to access phpMyadmin get changed because of my location or wifi change or network change ..
I am not able to access phpMyadmin and I always get forbidden error.
I am not able to find solution this problem.
I searched through stackoverflow . there are very questions on this topic. I tried all the answers but didn't get a resolution.
Please Help.
Thanks
Just to share knowledge its the below modification to
/etc/httpd/conf.d/phpMyadmin.conf
that solved the problem.
<Directory /usr/share/phpMyAdmin/>
AllowOverride all
Require all granted
</Directory>
But i also read , somewhere that its not a good idea to allow phpmyadmin access from everywhere. I m new to phpMyAdmin. So experts are welcome to comment.
Thanks
I uploaded a website that is working in the localhost using Akeeba backup. It is done by creating a new public_html at the host using its cpanel. Next i transfer the .jpa & the kickstart.php to this new folder. Finally i browse the kickstart.php and restore the website running on joomla 2.5.14.
Accessing the admin panel of Joomla, it reports all folders as WRITEABLE and site runs good. In cpanel all folders permission is set to 755 & files 644 as expected; i then change configuration.php to 444.
However when i try to edit the configuration.php in the host, i found i can't change the file permission or save any edit. This in fact affects all files. After informing the host, they change the file ownership setting, then in cpanel i CAN edit files BUT now Joomla reports all folders become UNWRITEABLE creating more problems eg cannot install new extension; some how Joomla no longer has edit rights to the folders.
More ... at this state, to make a folder WRITEABLE to Joomla, it must be set file permission to 777. It is unexpected & unacceptable; 775 is sufficient for Joomla to report as writeable ie if the host is doing the right thing for Joomla (as i found in another hosting site).
When i tell the host to change it back to the state after Akeeba restoration, they say that will mean they have to set the folders with ownership = nobody.
I would imagine ownership of folders & all its content can be made to be the cpanel user AND the joomla ie php/apache user. Can someone enlighten me this puzzle so that i can talk more intelligently with the host or point where i went wrong. I am getting no where with them.
PS: Latest Sharing Update
The solution is find a host that has Server API showing as cgi/fastcgi which mean that suPHP of Apache is enabled (sorry cannot post .jpg < 10 reputation)
With cgi, Joomla report all 755 folders as writeable.
Now the new question
If the host use Server API = Apache 2.0, how can i enable suPHP from the website?
As you have worked out, suPHP or FastCGI should usually be enabled for Joomla file permissions and file ownership to work as you would expect.
There is a good article on this at: http://boomshadow.net/tech/php-handlers
In a shared hosting environment you don't usually have access to change which PHP file handler is enabled but your web hosting company may be able to change this for you.
If your web hosting company can't enable suPHP or FastCGI, the only other option might be to find a new web hosting company.
According to Django document: "it was common to place static assets in MEDIA_ROOT along with user-uploaded files, and serve them both at MEDIA_URL. "
Does that mean everyone could access other people's uploaded files?
Isn't it unsafe?
Yes
A clever user can possibly guess the path to media files belonging to other users.
Django was born in the news publishing business where this was not of concern: the admin is based in the concept of trusted users like writers and editors belonging to the same organization.
Mitigation
Requiring authentication
Not my first choice but you can make the webserver authenticate against Django's user database:
WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py
WSGIPythonPath /path/to/mysite.com
WSGIProcessGroup %{GLOBAL}
WSGIApplicationGroup %{GLOBAL}
<Location "/media/private-user-content/">
AuthType Basic
AuthName "Top Secret"
Require valid-user
AuthBasicProvider wsgi
WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py
</Location>
The accepted answer recommends serving sensitive files from an authenticated Django view. It is OK for low traffic apps but for larger projects it carries a performance hit not every site can afford.
Serving from Cloud Storage Services
Large projects should be using some cloud storage backend for both performance and cost considerations. If your project is already hosted at some of the big 3 (AWS, GCP, Azure) check Django Storages. For example, if you are using the S3 backend, you can turn "query parameter authentication" for generated URLs and voila, problem gone. This has some advantages:
it is transparent to developers
enterprise-grade performance
lower cost of storage and network
probably the most secure option
Obfuscating the path
For small projects where you are serving media and application from the same webserver you can make very hard for nosy users to find media files not belonging to them:
1) disable the web server "auto index" in the MEDIA_ROOT folder. For apache, it is like:
<Directory /path/to/application/media/root>
Options -Indexes
</Directory>
Without indexes, in order to access files belonging to other people you will have to guess the exact file name.
2) make the file path hard to guess using a crypto hash in the "upload_to" parameter from FileFields:
def hard_to_guess(instance, filename):
salt = 'six random words for hidden salt'
hash = hashlib.md5(instance.user.username + salt)
return '/'.join(['content', hash, filename])
...
class SomeModel(models.Model):
...
user = models.ForeignKey(User)
content = models.FileField(upload_to=hard_to_guess)
...
This solution has no performance hit because media files are still served directly from the webserver.
To answer your question: yes, this would allow everyone to access everybody's uploaded files. And yes, this is a security risk.
As a general rule, sensitive files should never be served directly from the filesystem. As another rule, all files should be considered sensitive unless explicitly marked otherwise.
The origin of the MEDIA_ROOT and MEDIA_URL settings probably lie in Django's history as a publishing platform. After all, your editors probably won't mind if the pictures they add to articles can easily be found. But then again, pictures accompanying an article are usually non-sensitive.
To expand on your question: sensitive files should always be placed in a directory that is not directly accessible by the web server. Requesting those files should only be done through a view class or function, which can do some sensible access checking before serving the file.
Also, do not rely on obfuscation for sensitive files. For example, let's use Paulo's example (see other answer) to obfuscate photo albums. Now my pictures are stored like MEDIA_URL/A8FEB0993BED/P100001.JPG. If I share this link with someone else, they can easily try URLs like MEDIA_URL/A8FEB0993BED/P710032.JPG, basically allowing them to brute-force my entire photo album.
I believe a subdirectory would be mysite.com/m/index.htm. I would like the "m" at the front so as to appear "m.mysite.com".
What do I call that type of directory?
I currently have a stylesheet for mobile and it just sits in my root directory and is used with a media query when someone with a small screen visits my site. The mobile optimized sheet uses the main index.htm page.
How would I change the folders in my directory to show "m.mysite.com" when someone is visiting from mobile?
It's not a directory at all. First you need to add a DNS entry for m.example.com, then you need to configure your web server software to serve requests to that host name from the directory you wish.
How you do that depends on your host, your web serving software and how easily you can reconfigure things. It's a bunch of combinations and you haven't given anywhere near enough detail for anyone to answer.
I have a shared hosting account for my ColdFusion websites. One of my customers needs CFChart graphics for his statistics. I've programmed them and they run ok on my own development server, but they don't show up online. The reason is that ColdFusion puts the generated images into /CFIDE which is outside of my part of the file system, and not accessible for me in a shared hosting environment.
IMG SRC="/CFIDE/GraphData.cfm?graphCache=wc50&graphID=Images/4990209100100002.PNG"
The hoster uses IIS on a Windows machine and CF7. He has tried several things (configuration-wise), but so far, nothing helped.
What can we do?
We have a site that creates statistical charts on a schedule. CFChart allows you to store the data to a variable (the "name" attribute). Then use CFFile to write the chart to any location within your webroot. We use it for Flash charts, but I've tested it with PNG as well, and it works fine.
I'm not sure how you'd go about adding this to IIS, but, I've used this on apache to solve the same issue:
Alias /CFIDE /var/www/html/CFIDE
<Directory /var/www/html/CFIDE>
Order deny,allow
Deny from all
</Directory>
<Files ~ "^GraphData.cfm$">
Order allow,deny
Allow from all
</Files>
I believe it would be possible to use the techniques described in this blog post:
link text
And store the image in a location where the browser could get to it.