1

Topic: security - what to remove?

I'm setting up forumchooser.com, which will give admin panel access to a number of popular boards, to help users choose which one to install, And of course, I will be using this one smile

Now of course, I need to remove a number of features from the admin panel to stop wannabe hackers from causing havoc.. can some experienced users with punbb suggest the ones to remove, because no doubt I will miss some.

Thanks smile

2 (edited by Skye 2004-04-04 15:09)

Re: security - what to remove?

Perhaps in the admin pages...leave the page alone, but remove the "action code" or replace it with an echo statement saying what should have happened if it was the actual forum software.

3

Re: security - what to remove?

That was one idea that I was considering doing... but what I really want is for users to be able to create forums, edit them, change some settings...

Each board will be reinstalled every hour or so as an added precaution.

4

Re: security - what to remove?

Andy wrote:

That was one idea that I was considering doing... but what I really want is for users to be able to create forums, edit them, change some settings...

Each board will be reinstalled every hour or so as an added precaution.

If you're going to have a crontab running that will just run "rm -fr *" on the public_html directory, then untar a backup file, with the database settings and stuff already pre-configured, then I see absolutely no point in limiting what each of the demo's can do. I believe that a better solution is to create a script called resetdemo.php or something like that, which has the ability, when executed to reset the demo's by manually running the crontab or deleting, then extracting the files by some other means, though by doing this in PHP you will most likely run into permission issues if you try to edit the files manually via FTP. The only real solution for doing it via a web-script would then become perl. The link to this reset script could be in the error pages of the forums. Just edit the templates for the error. smile

My solution is more work, but in the long run it's worth its weight in gold.

5

Re: security - what to remove?

The reinstall script would only be to reset the database... not the files tongue Thanks for all of the tips though, am thinking them over...

6 (edited by Skye 2004-04-05 15:15)

Re: security - what to remove?

Andy wrote:

The reinstall script would only be to reset the database... not the files tongue Thanks for all of the tips though, am thinking them over...

There is your problem though...these forum systems have the ability to edit skin files, ON server. You either need to ensure the CHMod isnt correct, or just undo any changes they've done to the forums on an hourly basis. When you tar a file, it's permissions are preserved, so you'll be set in 20 seconds every hour.

In fact, you can make a shell script to be run by crontab, that sits just above your public_html folder that gets executed every 60 minutes. You can make the functionality you need with less than 20 lines of shell scripting.

7

Re: security - what to remove?

I think I would probs disable the skinning system then... leave it there but just remove the code for it.

This obviously needs some thinking hmm

8 (edited by Skye 2004-04-05 16:45)

Re: security - what to remove?

Andy wrote:

I think I would probs disable the skinning system then... leave it there but just remove the code for it.

This obviously needs some thinking hmm

Why? I just told you exactly how to do it...it takes less than 20 lines of shell scripting.

...and one command to setup the crontab.

9

Re: security - what to remove?

Yes, but on which method to use tongue I will most likely use yours.