Security

Aus Limbas Wiki

Wechseln zu: Navigation, Suche
Diese Seite ist eine übersetzte Version der Seite Sicherheit und die Übersetzung ist zu 100 % abgeschlossen sowie aktuell.

<-- backt to Main Page


Authentication

Limbas always needs a valid authentication. Anonyms or guest user without authentication are not supported. Authentication is done by the BASIC-Auth of the Apache Server. In order to code the authentication it is always advisable to use only SSL connections.

LDAP

Alternativly an external LDAP authentication can be used. Thereby user are automatically created in Limbas and allocated to the appropriated group. Thereby only those groups are included which have names are equal in LIMBAS and in LDAP. If the group membership changes in LDAP it will be updated whith the next log-in in LIMBAS. If a user is deleted in LDAP it is not automatically deleted in LIMBAS. On the other hand a sign in is not possible any more. An exception is the user 'admin'. This user is always authentication by the LIMBAS System and not by LDAP.

You can change LDAP parameters in umgvars

  • header_auth client browser authentication (basic/digest)
  • server_auth server authentication method (intern/LDAP)
  • LDAP_domain a valid LDAP or domain server
  • LDAP_baseDn the base dn for your domain
  • LDAP_accountSuffix the full account suffix for your domain

Sign In

After a succesful authentication a PHP session is created which is valid as long as the browser is open or as long as the server settings permit. An explicit log out is not necessary.

.htaccess

For the minimum of security it is necessary to activate the delivered “.htaccess.demo” in the directory ./dependent/ (change the name to “.htaccess”) or transfer the content into the httpd.conf. In principle, all files except those defined ar not allowed to be executed.

UPLOAD

All files in the directory ./UPLOAD/ are renamed with an md5.

For user reads the directory is protected with an “htaccess” file. A temporary symbol link is provided in the appropriate sub index for down loading files.

order deny,allow
deny  from all

USER

When creating a User, all User-directories are protected with a generated “htaccess/.htpasswrd” file. This file is newly generated every time the password is changed. The automatic generation of the “.htaccess” files of all User-directories via the Limbas admin-Tool (tools->system) can only take place if the Option “clear_pass” in the Umgvars is activated. This option is nevertheless only to be recommended for advanced administrators.

Directory Rights

The entire source code should only be read-only. The Apache user must have the following directories recursively:

  • BACKUP
  • TEMP
  • UPLOAD
  • USER

Admin

Additionally, the directory ./admin/ can only be activated for local users. Also, an “htaccess” file can be placed in admin directory which only allows access for defined IP addresses.

order deny,allow
deny  from all
allow from 192.168

php.ini

In general, PHP should have the following settings:

  • register_globals = off
  • magic_quotes_gpc = off

Upload Size

The maximum upload size should be configured as follows:

  • file_uploads = On
  • upload_max_filesize = 10M
  • post_max_size = 16M

Memory

The maximum amount of memory used by PHP should not be limitated too much as for example the PDF generator and bigger table outputs need sufficient memory.

  • memory_limit = 128M

Post Limit

A new PHP setting is the maximum number of POST form elements which by default can easily be exceeded by Limbas if there are many tables with many fields.

  • max_input_vars = 10000

ODBC

Long texts are read in odbc with a predefined size. If this size is too small, text blocks may be truncated. Is it too big suffers the performance. Depending on the usage, you should adjust the value to your own needs and slowly approach the required value.

  • odbc.defaultlrl = 104857