Koozali.org: home of the SME Server

Joomla! 3 on SME 9

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Joomla! 3 on SME 9
« Reply #15 on: October 11, 2014, 09:26:05 PM »
I guess I could take the matter up with Charlie, but he's not the one who's telling me that there's a security problem with my original design choice; you are.  This seems to be getting more confrontational than I expect either of us really intends, so let me try to back up a bit.

Maybe it's the way you're phrasing things, and maybe it's just me, but when you wrote, "Unfortunately you have totally missed the point of the first article", it set me off a bit, largely because it's simply factually incorrect.  The point of the first article, by its terms, was how to password-protect a subdirectory of an ibay--that was the stated "problem" to which it provided a solution.  What "how-to" was in that article, I didn't need--I know how to make a custom template fragment, and I know how to incorporate the appropriate directives in httpd.conf.  Yes, there were two sentences identifying purported security issues with using .htaccess, and one phrase (part of those two sentences) stating that .htaccess was disabled by default in SME Server.  Perhaps those two sentences were your point in providing the link, and if so, I did miss that.  Certainly if I'd read more carefully, I might have noticed that information the first time.  If you'd posted, ".htaccess is disabled by default in SME Server for security reasons, see http://wiki.contribs.org/Htaccess for another way to implement it", that likely would have helped as well.  I've since made some edits to that page that I think clarify the fact that .htaccess is disabled, and discuss some of the broader applications of the page.

I can accept that there's a marginal security gain in disabling .htaccess files system-wide.  I haven't yet found evidence that it's a significant gain--my web searching hasn't found much at all discussing security problems related to enabling .htaccess files--but since it can remove some control over Apache security from the admin, and give it to users who may not know what they're doing, it's reasonable to believe it would be more secure to disable them, and retain security control with the admin (who hopefully knows what he or she is doing).

But at the end of the day, whether I believe it's a security issue or not, it comes down to the fact that .htaccess is disabled by default.  To do the kind of access control I want to do, I need to either add a config database entry or create a custom template fragment, and either of those would need to be (or, at least, should be) manually removed if/when Joomla is removed.
......

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Joomla! 3 on SME 9
« Reply #16 on: October 12, 2014, 12:14:35 AM »
DanB35

You asked for improvements or better ways of doing your Joomla install, so I pointed something out to you.
Whether you agree/disagree technically & sematically is your choice & needs no further discussion.
If you search the forums (years ago) you will find supporting info & I note the original article was written in 2005, so using custom templates to implement htaccess requirements has been the recommendation for many years now.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.