|
|
PageBox |
|
| Rationale | FAQ | Dev site | PHP version | Install | Security | Customization | Demo | Distributed Application |
|
PageBox for PHP security
ForewordPageBox for PHP is quite powerful and therefore requires proper security measures. In this document we focus on the security in an Apache environment. PageBox securityPageBox doesn't really change the picture: If your server pages have unrestricted access to the server resources and if someone finds the way to add or modify a server page, then the security of the server is compromised. PageBox for PHP triggers commands to install and remove presentations. These commands are specified in inflate.pb and delete.pb. As a bare minimum, define inflate.pb, delete.pb and the commands that you can distribute in Read-Only mode. You can also enforce the security measures described in the PHP and Apache documentation. PHP securitySafe modeIf you try using PageBox on an ISP/ASP your inflate and delete commands will probably not work because your ISP has configured PHP in Safe Mode. From the PHP documentation: "Safe Mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use Safe Mode for now." First check if Safe Mode is set with environment.php:
Many functions are restricted or disabled by safe mode. Look in the PHP documentation for their list. If PHP is used in safe mode, exec() and the other functions executing system programs refuse to start programs that are not in safe_mode_exec_dir . Therefore you must copy the programs used by inflate.pb and delete.pb in safe_mode_exec_dir. Note: On Windows, you need %SYSTEMROOT%\system32\cmd.exe to run batch files. Repository securityAuthenticationWith Apache you need to update conf/httpd.conf. Assuming that you installed the Pagebox repository on D:/Program Files/Apache Group/Apache/htdocs/repository you can use that definition:
You create and populate D:/Program Files/Apache Group/Apache/PageBox-users.ht with the htpasswd command, for instance:
Then you create D:/Program Files/Apache Group/Apache/PageBox-groups.ht:
Thank to the Require group PageBox statement, only users belonging to PageBox group, admin publisher1 publisher2 subscriber1 subscriber2 are allowed to query repository resources. Restart Apache. Now when you query publisher.php, subscriber.php or admin.php you are displayed this dialog box:
Enter a valid user and password belonging to PageBox group. Then you are granted access to repository pages based on adminUser.rep and users.rep content. See the Customization guide for more information. EncryptionWithout encryption the user and password are send on the wire in clear text. With Apache,
Contact:support@pagebox.net |
|
