DotNetNuke Secure Module Folder - permissions

I have created a module in DNN which has a sub-folder that contains several files which are used by the module, but which I do not want accessible by the public. Being new to DNN I had originally thought to simply add a Web.config and set deny users="*" in the authorization section. It looks to me now though that DNN intercepts all the requests and ignores the Web.config as this setting seems to have no effect.
Users can currently access these files simply by guessing a file name and navigating to (http://mysite.com/DesktopModules/mymodule/restricted_files/guessedfile.pdf). How can I prevent this from happening?

DotNetNuke allows you to have different providers for folders in the file system. If you use those providers (instead of interacting with the file system directly), then you can make sure that DNN has control of the permission to the files in the folder.
Built into DNN are three providers, Standard, Secure, and Database. If you create a folder with the Secure or Database provider, then DNN will make sure that you can't get to the file just by guessing the path (either by appending .resources to the filename, which IIS won't serve, or by putting it in the database). You can then assign permissions to the folder (via the File Manager page in the Admin menu) to indicate who can get to those files (the site administrator will always be able to access the files, unless you're using the Host file system).
However, these folder providers only apply to the Portals directory in the site. It's recommended that you'd store content files there, rather than in DesktopModules.

Related

Is it safe to put the file containing the database password in var/www?

I don't want to save the file containing the database password in the webroot of apache so I moved it to var/www (the server root) and include it from there.
Is this creating new security issues which weren't there before or can I leave it there?
The security issue that it creates, is that anyone who has access to the server, can get your DB credentials. Also, depending on the file and folder, there is a possibility that the file can be downloaded (really depends on the file and security settings on your web app). The industry standard solution is to encrypt the credentials in that file.

Rails/Paperclip - Can't see uploaded images

I have a Rails 3 application which has an attachment model and uses Paperclip gem. Everything works fine on development environment but on production server we cannot access any of the images uploaded. The images are in the right folder where they are supposed to be but when I try to reach them on browser I simply get the 404 page.
The upload folder is located under public folder and called "uploads"
I can access this: "app_url/uploads/test.html" which I manually created to see if it works
But I cannot acces this: "app_url/uploads/test.jpg" which I upload within the application via Paperclip.
I can guess this has something to do with the server configuration but I'm not an expert and may need help about it.
Thanks
UPDATE
I've just realised that uploaded files belong to "nobody" and when I manually change the owner to "root" it seems to be working fine. So I need to find a way to tell Paperclip make the files belong to "root"
It's not a good idea to have a web application being able to write files as root. File permissions are derived from the process writing the files. In case you're using Passenger, there's the concept of user switching:
http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerDefaultUser
Upon startup of your app, Passenger tries to figure out which user owns those files, and tries to switch it's application process to that user. In case it fails, "nobody" is the default.
Check your application permissions on the file level. You should have one user account per application on your server. The application (the directory and contents above the public directory) should be owned by this user. Files under public should be readable by others, so the webserver can pick them up, too.
Are you using Capistrano for deployment?

Accessing Network shared paths in WinRT

Is there a way to access arbitrary network shared paths and read their content in WinRT? Programatically I want to read from the network shared paths in a WinRT App. I am getting an Access Denied error.
I was told that it might be possible to access the network shared path using file picker provided the app request for permission.
But in my case I do not have access to the file picker. Instead while parsing my model if there is path, I need to read the contents from that path. If that path is network shared path, it fails.
You won't be able to access arbitrary files without the user's explicit permission (via the File Picker).
Some well-known locations like the music and pictures library can be read if the application's manifest includes the associated Declaration, but beyond that all the application can access without the user granting permission (at least once) is its local application data storage.
Have a look at this question: Windows 8 Metro App File Share Access
You may be able to work around this limitation by using a Web Service that has access to the file shares. ;)

Manually setting folder permissions for Orchard CMS

I need to reapply permissions to the folders under app_data since my app pool user changed. When I look at another site I've got it's got special permissions - not just read/write.
Is there a script to re-apply this - or what special permissions do I need to apply?
thanks!
There's a description in Orchard documentation specifying which folders should have which rights.
From the document:
You might have to set read/write permissions for the account that is configured as the identity for the IIS application pool on the following folders: - Modules. This is required if you want to install modules from the gallery. (We recommend that you remove the read/write permissions for production sites.) - Themes. This is required if you want to install themes from the gallery. (We recommend that you remove the read/write permissions for production sites.) - AppData_. This folder is where Orchard stores site settings. - Media. This folder is where Orchard stores media files (images, etc.).

Adding .htaccess to disallow sites/default/files directory from any access

Customers at my site upload private files using node checkout module which finally land in sites/default/files directory as part of their order.
Unfortunately I could never find a way till now to restrict those files to the owners only. I've even used User File module, but this module stopped my site.
Customer can upload files as their product order even as anonymous but to checkout they will need to login.
So if I add .htaccess in this directory disallowing everybody in the world read access, will this idea work?
I was thinking to write a hook so that as soon as a product is checked out, it's associated uploaded file can be moved to some private location, or have it's read permission removed( as hosting is on linux).
Any ideas?
I'm using Drupal-6