[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Do you use LedgerSMB



On 6/7/07, Armaghan Saqib <..hidden..> wrote:
Hi Chris,

Just out of curiosity, which files in 1.1.x are server
writable/executable so that we could better protect
them.

users/*.conf

We do our best to protect them but the web server has to be able to
both write to and run them.  For example, we prevent the template
editor from editing them using more robust controls than we started
out with, and our recommended configuration blocks direct access to
those files.

(note that it is possible to edit these files with Firefox's
webdevelop extension on SQL-Ledger as of 2.8.2.  I have not checked
more recent versions.  This is because SQL-Ledger merely tries to
strip out the offending paths instead of denying the attempt.  This
has furthermore been noted to Bugtraq.)

Best Wishes
Chris Travers

Regards

On 6/7/07, Chris Travers <..hidden..> wrote:
> 1.2.x does not have any server writable and executable files and these
> are somewhat separated (server-writeable files are limited to
> templates, css, and spool, and none of these are executable).
>
> 1.1.x did not have this advantage, however.
>
> Best Wishes,
> Chris Travers
>
> On 6/7/07, Mads Kiilerich <..hidden..> wrote:
> > Chris Travers wrote, On 06/08/2007 12:26 AM:
> > > I do use it for my accounting.  There is an entry in the faq about
> > > getting it to work with SELinux, and you can also set it to permissive
> > > while you resolve the problems.
> > >
> > >
> > >> I'll have to try and install LedgerSMB again though. I tried it on my Fedora 6 box and it wouldn't work. I think that the SELinux thingy is mainly the problem.
> >
> > The RPM does not work with SELinux in enforcing mode - and says so. I
> > have not been able to find any faq entry discussing this.
> >
> > SELinux (and to some extent FHS) clearly separates "being writable
> > through the web" and "being executable through the web". LedgerSMB by
> > (inherited) design unfortunately conflicts with this principle. That's
> > one reason to why I wouldn't expose LedgerSMB urls to untrusted users.
> > That you has to disable SELinux could be another.
> >
> > /Mads
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Ledger-smb-users mailing list
> > ..hidden..
> > https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
> >
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Ledger-smb-users mailing list
> ..hidden..
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
>

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Ledger-smb-users mailing list
..hidden..
https://lists.sourceforge.net/lists/listinfo/ledger-smb-users