Hi,
I am writing a public script and I was thinking about that my script installer renames certain core folders to random. User never needs to access them unlike acp, plugins or such folders so it wont interfere user.
I was thinking, if indexes are no available and no visible error reporting there should be no way to find out the folder what I can tihnk of.
So, this doesn ot increase security much, but it still DOES increase it, right? So why not to take the step ? I want to get arguments and thoughts thats why I created this topic, I'm not specifically asking anything.
PS. Sory for my grammatic rules, i'm a bit durnk right now :p
Renaming directories in a public script
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: Renaming directories in a public script
Sure. Security through obscurity. You'd be better of just keeping those sensitive folders/files out of the document root.So, this doesn ot increase security much, but it still DOES increase it, right?
1. It's more secure to keep files/folders outside of document root periodI want to get arguments and thoughts thats why I created this topic, I'm not specifically asking anything.
2. If the files are never changed/updated give them a tight permission setting
An install script renaming your sensitive folders is going to be a PITA. Why?
Cause PHP scripts typically always run as user nobody and when you upload files via FTP those files are usually owned by another user. So when the PHP script tries to rename those files/folders to some random value you'll get a permission error.
I believe vTiger or Sugar does something similair...renaming the setup directory to something random to prevent attackers from ever tinkering. They do this by packaging the entire source tree into file(s) which you upload and execute and the script the creates the application files, etc and thus allowing it access to rename/remove files as the script so wishes. Weird but it works I guess.
I'd rather have a conditional in my code that checked for an install directory and refused access any further until the directory was removed or renamed.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Renaming directories in a public script
Of course my installation is locked after installation. The files can not be accessed directly, so on. I was just thinking about extra security 
It's a public open source script, so it is not easy for customers to upload certain dirs to out of docroot.
Also, chmod() works pretty often in PHP
It's a public open source script, so it is not easy for customers to upload certain dirs to out of docroot.
Also, chmod() works pretty often in PHP
Code: Select all
If it works, give permission to folder, rename, and chmod back. If doesnt work with chmod, forget.