Feature #33722
closed
Disable Access via /typo3/install/ via a localconf setting
0%
Description
Hi
Most of the times, after a first install, the external access to the install tool via http://example.com/typo3/install/ isn't used anymore.
The install tool prominently displays this comment:
For additional security, the /typo3/install/ folder can be renamed, deleted, or password protected with a .htaccess file.
But what if you don't have access to your core, share your core with other instances or simply don't want to delete the /typo3/install/ folder after each core update?
Maybe it would make sense to offer an option in $TYPO3_CONF_VARS to turn of that external access. It would definiely feel safer. Or would that just be "illusion of safety"?
Urs
Updated by Markus Klein almost 13 years ago
Hi!
The ENABLE_INSTALL_TOOL file has to be present in your instance in order for the Install tool to be accessible.
Updated by Thorsten Kahler almost 13 years ago
- Status changed from New to Needs Feedback
- Assignee set to Urs Braem
Hi Urs,
feeling safe is a fine thing - but sometimes only obscures real threats ;-)
Can you draft a case where such a configuration option would be superior to the solution we already have (ENABLE_INSTALL_TOOL file)?
Updated by Urs Braem almost 13 years ago
Hi Thorsten
Well...
Say the admin has become very used to accessing the install tool only via the backend. As he feels the install tool is already secured by his admin credentials, the password he chooses doesn't match the standards he would apply to a regular password, and I guess saltedpasswords and RSAAuth don't apply either. Also, there is only one security element, as there's only the PW, no username.
One day he sets the ENABLE_INSTALL_TOOL file and does whatever he has to do in the install tool. Clear some tempfiles. Nothing special.
While he's in there and the enablefile is set, the Install Tool is more vulnerable to any intrusion than the Backend.
The phone rings.
Time passes.
Maybe he's being logged out from the BE. Maybe TYPO3 doesn't manage to clear the enablefile after 1h (not sure if that can happen).
Then the installtool would stay very vulnerable in comparison to the backend.
Another argument: If "For additional security, the /typo3/install/ folder can be renamed, deleted, or password protected" really applies (thus really grants additional security), something equivalent should be possible in a standard setup with a symlinked core - or the hint might be removed or changed to "To feel safer, ...." :-).
Thanks for listening!
Cheers
Urs
Updated by Thorsten Kahler almost 13 years ago
- Assignee changed from Urs Braem to Helmut Hummel
Urs Braem wrote:
Say the admin has become very used to accessing the install tool only via the backend. [...]
Maybe he's being logged out from the BE. Maybe TYPO3 doesn't manage to clear the enablefile after 1h (not sure if that can happen).
And maybe the admin forgets to set the TYPO3_CONF_VARS option ...
In the case of an oblivious admin disabling the BE module IMO would be the better way to achieve more security.
Another argument: If "For additional security, the /typo3/install/ folder can be renamed, deleted, or password protected" really applies (thus really grants additional security), something equivalent should be possible in a standard setup with a symlinked core - or the hint might be removed or changed to "To feel safer, ...." :-).
If you install TYPO3 symlinked for easier maintenance all three options are still possible. In an environment with shared TYPO3 sources password protection as well as renaming is possible; deletion will indeed cause some effort before the install tool can be used again.
Maybe Helmut can add some considerations (or a pointer) from last years discussions about install tool security?
Updated by Helmut Hummel almost 13 years ago
- Status changed from Needs Feedback to Rejected
- Assignee deleted (
Helmut Hummel)
There's nothing to do here. An ENABLE_INSTALL_TOOL file older than 1h will be deleted on access or if the file (for whatever reason) cannot be deleted by the webserver user a file older than 1h will still count as invalid.
If you want extra security you can just delete it. If you're too lazy to do so on every update or your admin is too lazy to click the logout button, well then you can still add webserver auth for that path.
An additional TYPO3_CONF_VAR would not be beneficial at all.
If anything we must move all maintenance tasks to another place so that accessing the install tool would only be necessary during installation or upgrade.