Learning: eZ Publish Security
Table of contents:
For a general description of security, we recommend Computer security on Wikipedia.
eZ publish is very secure! The U.S Department of Defense uses eZ publish!
Securing eZ publish
eZ Publish Security Advisories
eZ Publish Security Advisories ( http://share.ez.no/community-project/security-advisories ) - keeping your eZ Publish installation up-to-date with the latest release and security patches is a good way to ensure the underlying code base is stable & secure.
File Permissions
"Also in productive environments the extension directory should not be any longer writeable to apache cause of security." -- [email protected]
- Installation directory permission
- File storage settings in site.ini.append.php , for cache/image files within the var directory:
[FileSettings] StorageFilePermissions=664 StorageDirPermissions=775 LogFilePermissions=660
Web server user/group should only be on var/, unless making template/ini changes via admin interface.
Database Permissions
- Use a separate user for each eZ publish installation
- Reduce user database server permissions to minimum.
Module view security
There are several module views are available to anonymous users by default which can expose information about your software and website:
- ezinfo/about contains the version of eZ Publish, and all extensions used by your website, as well as information about copyright, license, contributors, etc.
- content/browse can allow a user to explore the node structure of your site, to access information which is not linked on your site.
- user/register, user/activate, user/success, and user/forgotpassword can also be disabled if you don't need user registration on the front-end, to prevent spammers clogging up your system, or people accidentally using it
There are several ways to disable these module views for anonymous users - both are by changing settings in site.ini:
- Remove if from [RoleSettings] PolicyOmitList (require policy access)
- Add it to [SiteAccessRules] Rules disable list (disable it totally)
PolicyOmitList
You can reset the site.ini:[RoleSettings] PolicyOmitList array with a settings override to exclude the module entirely thus preventing it's use and index from other external sources (engines, bots, etc)
Here is an example from a settings/override/site.ini.append.php file:
[RoleSettings] PolicyOmitList[] PolicyOmitList[]=user/login PolicyOmitList[]=user/logout PolicyOmitList[]=user/register PolicyOmitList[]=user/activate PolicyOmitList[]=user/success PolicyOmitList[]=user/forgotpassword PolicyOmitList[]=layout PolicyOmitList[]=manual # PolicyOmitList[]=ezinfo PolicyOmitList[]=paypal/notify_url PolicyOmitList[]=switchlanguage
You might choose for example to leave this enabled in development settings while disabled directly in production settings.
You could also add a new user group and coresponding new role for that group called say 'Developers' and within the role add a policy for ezinfo module and the read function. Save and clear caches. Now all developer group users can use ezinfo and everyone else gets access denied errors instead.
SiteAccessRules
If you want to completely disable a module view so no-one can use it, you can reset the site.ini:[SiteAccessRules] Rules array with a settings override, e.g:
[SiteAccessRules] Rules[] Rules[]=access;enable Rules[]=module;all Rules[]=access;disable Rules[]=module;ezinfo/about Rules[]=module;content/browse
HTTP Headers
eZ Publish adds an HTTP header "X-Powered-By: eZ Publish" - you can override this.
In eZ Publish 4.7 you can change a setting in config.php:
/*** Enable usage of "X-Powered-By" headers. * Optional. Defaults to true. */ define( 'CLUSTER_HEADER_X_POWERED_BY', false );
In eZ Publish 4.6 & below, in your settings/override/site.ini.append.php file by adding the following (and while we're at it, let's turn off the webserver identifier):
[HTTPHeaderSettings] # Enable/disable custom HTTP header data. CustomHeader=enabled # Only apply custom headers for anonymous users OnlyForAnonymous=enabled # Header list. Contains all HTTP which should override standard ones. HeaderList[] HeaderList[]=X-Powered-By HeaderList[]=Server X-Powered-By[] X-Powered-By[/]= Server[] Server[/]=
eZ publish Administration
Browser security
SSL
- Use an browser and web server which supports ssl/https. Require all login and admin usage use ssl.
- The use of ssl protects the clear text information (username and password) during transmission.
ACL
- Use an httpd browser based authentication realm to protect eZ publish
- The use of two forms of authentication, ACL and eZ reduces greatly the chance someone can compromise eZ publish
eZ publish Users, Groups, Roles and Permissions
- Do not use the 'admin' user. This is similar to the unix-like operating system's rule to use a non-privileged user as much as possible.
- If you need more permissions, create a group called say 'ez-admin', and add a new user 'eza-john' to the group. Add permissions as needed to your group/user roles.
- Example #1 - Email Abuse