From dea188ff77ca3f44387d886dd20fbb575309ae87 Mon Sep 17 00:00:00 2001 From: Gunnstein Lye <289744+glye@users.noreply.github.com> Date: Mon, 8 Apr 2024 11:27:23 +0200 Subject: [PATCH 1/7] Security checklist: File system permissions --- .../security/security_checklist.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index 144ed50f8a..85973a14ea 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -190,7 +190,10 @@ Once you have properly configured secure user roles and permissions, to avoid ex - Avoid exposing servers on the open internet when not strictly required. - Ensure any servers, services, ports and virtual hosts that were opened for testing purposes are shut down before going live. -- Secure the database with a good password, keys, firewall, etc. Ensure that the database user used by the web app only has access to do the operations needed by [[= product_name =]]. The Data Definition Language (DDL) commands (create, alter, drop, truncate, comment) are not needed for running [[= product_name =]], only for installing and upgrading it. If the web app user does not have these rights, then that reduces the damage that can be done if there is a security breach. +- Ensure file system permissions are set up such that the web server / PHP user cannot access files it shouldn't be able to read. +- Secure the database with a good password, keys, firewall, etc. Optionally, ensure that the database user used by the web app only has access to do the operations needed by [[= product_name =]]. The Data Definition Language (DDL) commands (create, alter, drop, truncate, comment) are not needed for running [[= product_name =]], only for installing and upgrading it. If the web app user does not have these rights, then that reduces the damage that can be done if there is a security breach. + +The above steps are not needed when using Ibexa Cloud, where these things are handled by the provider. ### Security headers From 20063ff0cedea2772ce3f2f83cc03d5d4be7f32b Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Mon, 8 Apr 2024 16:51:34 +0200 Subject: [PATCH 2/7] security_checklist.md: Restricted DB user w/ example --- .../security/security_checklist.md | 28 ++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index 85973a14ea..62141588a7 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -140,6 +140,32 @@ The older UTF8 can lead to truncation with 4-byte characters, like some emoji, w See [Change from UTF8 to UTF8MB4](update_db_to_2.5.md#change-from-utf8-to-utf8mb4). +### Use restricted DB user + +The Data Definition Language (DDL) commands (create, alter, drop, truncate, comment) are not needed for running [[= product_name =]], only for installing and upgrading it. +If the web app user does not have these rights, then that reduces the damage that can be done if there is a security breach. + +Create a user and grant minimal rights: + +=== "MySQL" + + ```sql + CREATE USER 'user'@'host' IDENTIFIED BY 'password'; + GRANT SELECT, INSERT, UPDATE, DELETE ON database_name.* TO 'user'@'host'; + ``` + +=== "PostgreSQL" + + ```sql + CREATE USER user PASSWORD 'password'; + GRANT CONNECT ON DATABASE database_name TO user; + GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO user; + ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO user; + ``` + +In configuration, update users and passwords, such as [`DATABASE_URL`](install_ibexa_dxp.md#change-installation-parameters) +or a [connection](repository_configuration.md#defining-custom-connection). + ### Use secure Roles and Policies Use the following checklist to ensure the Roles and Policies are secure: @@ -191,7 +217,7 @@ Once you have properly configured secure user roles and permissions, to avoid ex - Avoid exposing servers on the open internet when not strictly required. - Ensure any servers, services, ports and virtual hosts that were opened for testing purposes are shut down before going live. - Ensure file system permissions are set up such that the web server / PHP user cannot access files it shouldn't be able to read. -- Secure the database with a good password, keys, firewall, etc. Optionally, ensure that the database user used by the web app only has access to do the operations needed by [[= product_name =]]. The Data Definition Language (DDL) commands (create, alter, drop, truncate, comment) are not needed for running [[= product_name =]], only for installing and upgrading it. If the web app user does not have these rights, then that reduces the damage that can be done if there is a security breach. +- Secure the database with a good password, keys, firewall, etc. Optionally, [restrict the database user](#use-restricted-db-user) to the needed operations. The above steps are not needed when using Ibexa Cloud, where these things are handled by the provider. From 0533601a8aded9327a80048b4c95ab8afceb574a Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Mon, 8 Apr 2024 17:10:17 +0200 Subject: [PATCH 3/7] Apply suggestions from code review --- .../security/security_checklist.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index 85973a14ea..c59f3cec82 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -190,10 +190,10 @@ Once you have properly configured secure user roles and permissions, to avoid ex - Avoid exposing servers on the open internet when not strictly required. - Ensure any servers, services, ports and virtual hosts that were opened for testing purposes are shut down before going live. -- Ensure file system permissions are set up such that the web server / PHP user cannot access files it shouldn't be able to read. +- Ensure file system permissions are set up such that the web server or PHP user can't access files it shouldn't be able to read. - Secure the database with a good password, keys, firewall, etc. Optionally, ensure that the database user used by the web app only has access to do the operations needed by [[= product_name =]]. The Data Definition Language (DDL) commands (create, alter, drop, truncate, comment) are not needed for running [[= product_name =]], only for installing and upgrading it. If the web app user does not have these rights, then that reduces the damage that can be done if there is a security breach. -The above steps are not needed when using Ibexa Cloud, where these things are handled by the provider. +Those steps aren't needed when using [[= product_name_cloud =]], where the provider handles them. ### Security headers From 58012d27939c5f32f4646b6e8d5f4024fee4e223 Mon Sep 17 00:00:00 2001 From: Gunnstein Lye <289744+glye@users.noreply.github.com> Date: Mon, 8 Apr 2024 19:49:07 +0200 Subject: [PATCH 4/7] Review feedback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Tomasz DÄ…browski <64841871+dabrt@users.noreply.github.com> --- .../security/security_checklist.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index c59f3cec82..7638cfabb2 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -191,7 +191,10 @@ Once you have properly configured secure user roles and permissions, to avoid ex - Avoid exposing servers on the open internet when not strictly required. - Ensure any servers, services, ports and virtual hosts that were opened for testing purposes are shut down before going live. - Ensure file system permissions are set up such that the web server or PHP user can't access files it shouldn't be able to read. -- Secure the database with a good password, keys, firewall, etc. Optionally, ensure that the database user used by the web app only has access to do the operations needed by [[= product_name =]]. The Data Definition Language (DDL) commands (create, alter, drop, truncate, comment) are not needed for running [[= product_name =]], only for installing and upgrading it. If the web app user does not have these rights, then that reduces the damage that can be done if there is a security breach. +- Secure the database with a good password, keys, firewall, etc. +Optionally, ensure that the database user used by the web app only has permissions to do the operations needed by [[= product_name =]]. +The Data Definition Language (DDL) commands (create, alter, drop, truncate, comment) are only needed for installing and upgrading [[= product_name =]], and not for running it. +Not granting these rights to web app users reduces the damage that can result from a security breach. Those steps aren't needed when using [[= product_name_cloud =]], where the provider handles them. From b3d01899d585d5831addc6c69f43bef800e5d286 Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Tue, 9 Apr 2024 08:43:41 +0200 Subject: [PATCH 5/7] Update docs/infrastructure_and_maintenance/security/security_checklist.md Co-authored-by: Gunnstein Lye <289744+glye@users.noreply.github.com> --- .../security/security_checklist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index 7638cfabb2..b43b7e8f2a 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -190,7 +190,7 @@ Once you have properly configured secure user roles and permissions, to avoid ex - Avoid exposing servers on the open internet when not strictly required. - Ensure any servers, services, ports and virtual hosts that were opened for testing purposes are shut down before going live. -- Ensure file system permissions are set up such that the web server or PHP user can't access files it shouldn't be able to read. +- Ensure file system permissions are set up in such a way that the web server or PHP user can't access files it shouldn't be able to read. - Secure the database with a good password, keys, firewall, etc. Optionally, ensure that the database user used by the web app only has permissions to do the operations needed by [[= product_name =]]. The Data Definition Language (DDL) commands (create, alter, drop, truncate, comment) are only needed for installing and upgrading [[= product_name =]], and not for running it. From 4501d4cb8a23ee43de70c41c3a32723f24da17e8 Mon Sep 17 00:00:00 2001 From: Gunnstein Lye <289744+glye@users.noreply.github.com> Date: Tue, 9 Apr 2024 09:21:10 +0200 Subject: [PATCH 6/7] Grammar --- .../security/security_checklist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index b43b7e8f2a..b60826c5df 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -190,7 +190,7 @@ Once you have properly configured secure user roles and permissions, to avoid ex - Avoid exposing servers on the open internet when not strictly required. - Ensure any servers, services, ports and virtual hosts that were opened for testing purposes are shut down before going live. -- Ensure file system permissions are set up in such a way that the web server or PHP user can't access files it shouldn't be able to read. +- Ensure file system permissions are set up in such a way that the web server or PHP user can't access files they shouldn't be able to read. - Secure the database with a good password, keys, firewall, etc. Optionally, ensure that the database user used by the web app only has permissions to do the operations needed by [[= product_name =]]. The Data Definition Language (DDL) commands (create, alter, drop, truncate, comment) are only needed for installing and upgrading [[= product_name =]], and not for running it. From 9402cabd4d986f5d6d5aab4241f98dee653ffac4 Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Tue, 9 Apr 2024 09:55:27 +0200 Subject: [PATCH 7/7] security_checklist.md: Format --- .../security/security_checklist.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index b2c9fd7742..2e393f9fdd 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -217,7 +217,8 @@ Once you have properly configured secure user roles and permissions, to avoid ex - Avoid exposing servers on the open internet when not strictly required. - Ensure any servers, services, ports and virtual hosts that were opened for testing purposes are shut down before going live. - Ensure file system permissions are set up such that the web server or PHP user can't access files they shouldn't be able to read. -- Secure the database with a good password, keys, firewall, etc. Optionally, [restrict the database user](#use-restricted-db-user) to the needed operations. +- Secure the database with a good password, keys, firewall, etc. +Optionally, [restrict the database user](#use-restricted-db-user) to the needed operations. Those steps aren't needed when using [[= product_name_cloud =]], where the provider handles them.