1{* $Id$ *}
2{title help="Security Admin" admpage="security"}{tr}Security Admin{/tr}{/title}
3
4{remarksbox type="tip" title="{tr}Tip{/tr}"}
5	{tr}To <a class="alert-link" target="tikihelp" href="http://security.tiki.org/tiki-contact.php">report any security issues</a>.{/tr}
6	{tr}For additional security checks, please visit <a href="tiki-check.php" class="alert-link">Tiki Server Compatibility Check</a>.{/tr}
7{/remarksbox}
8
9<h2>{tr}Tiki settings{/tr}</h2>
10<div class="table-responsive secsetting-table">
11	<table class="table table-striped table-hover">
12		<tr>
13			<th>{tr}Tiki variable{/tr}</th>
14			<th>{tr}Setting{/tr}</th>
15			<th>{tr}Risk Factor{/tr}</th>
16			<th>{tr}Explanation{/tr}</th>
17		</tr>
18
19		{foreach from=$tikisettings key=key item=item}
20			<tr>
21				<td class="text">{$key}</td>
22				<td class="text">{$item.setting}</td>
23				<td class="text">
24					<span class="text-{$fmap[$item.risk]['class']}">
25						{icon name="{$fmap[$item.risk]['icon']}"} {$item.risk}
26					</span>
27				<td class="text">{$item.message}</td>
28			</tr>
29		{/foreach}
30		{if !$tikisettings}
31			{norecords _colspan=4}
32		{/if}
33	</table>
34</div>
35{tr}About WikiPlugins and security: Make sure to only grant the "tiki_p_plugin_approve" permission to trusted editors.{/tr} {tr}You can deactivate risky plugins at (<a href="tiki-admin.php?page=textarea">tiki-admin.php?page=textarea</a>).{/tr} {tr}You can approve plugin use at <a href="tiki-plugins.php">tiki-plugins.php</a>.{/tr}
36
37<br>
38<h2>{tr}Security checks{/tr}</h2>
39<div>
40	<form action="tiki-admin_security.php" method="post">
41		<input type="submit" name="check_files" class="btn btn-primary" value="{tr}Check all tiki files{/tr}">
42	</form>
43	<br>
44	{remarksbox type="tip" title="{tr}Info{/tr}"}
45		{tr}Note, that this can take a very long time. You should check your max_execution_time setting in php.ini.{/tr}
46	{/remarksbox}
47	<br>
48	<br>
49</div>
50
51{if $filecheck}
52	<div class="table-responsive secfile-table">
53		<table class="table table-striped table-hover">
54			<tr>
55				<th colspan="2">{tr}File checks{/tr}</th>
56			</tr>
57			<tr>
58				<th>{tr}Filename{/tr}</th>
59				<th>{tr}State{/tr}</th>
60			</tr>
61			{foreach from=$tikifiles key=key item=item}
62				<tr>
63					<td class="url">{$key}</td>
64					<td class="text">{$item}</td>
65				</tr>
66			{/foreach}
67		</table>
68	</div>
69{/if}
70
71<a href="tiki-admin_security.php?check_file_permissions" class="btn btn-primary">{tr}Check file permissions{/tr}</a>
72
73{remarksbox type="tip" title="{tr}Info{/tr}"}
74	{tr}Note, that this can take a very long time. You should check your max_execution_time setting in php.ini.{/tr}
75	<br>
76	{tr}This check tries to find files with problematic file permissions. Some file permissions that are shown here as problematic may be unproblematic or unavoidable in some environments.{/tr}
77	<br>
78	{tr}See end of table for detailed explanations.{/tr}
79{/remarksbox}
80
81
82{if $permcheck}
83	<div class="table-responsive secperm-table">
84		<table class="table table-striped table-hover">
85			<tr>
86				<th>{tr}Filename{/tr}</th>
87				<th>{tr}type{/tr}</th>
88				<th colspan="2">{tr}owner{/tr}</th>
89				<th colspan="3">{tr}special{/tr}</th>
90				<th>{tr}user{/tr}</th>
91				<th>{tr}group{/tr}</th>
92				<th>{tr}other{/tr}</th>
93			</tr>
94			<tr>
95				<th colspan="2">&#160;</th>
96				<th>{tr}uid{/tr}</th>
97				<th>{tr}gid{/tr}</th>
98				<th>{tr}suid{/tr}</th>
99				<th>{tr}sgid{/tr}</th>
100				<th>{tr}sticky{/tr}</th>
101				<th>{tr}r{/tr}{tr}w{/tr}{tr}x{/tr}</th>
102				<th>{tr}r{/tr}{tr}w{/tr}{tr}x{/tr}</th>
103				<th>{tr}r{/tr}{tr}w{/tr}{tr}x{/tr}</th>
104			</tr>
105			<tr>
106				<th colspan="16">{tr}Set User ID (suid) files{/tr}</th>
107			</tr>
108
109			{foreach from=$suid key=key item=item}
110				<tr>
111					<td class="url">{$key}</td>
112					<td class="text">{$item.t}</td>
113					<td class="text">{$item.u}</td>
114					<td class="text">{$item.g}</td>
115					<td class="text">{$item.suid|truex}</td>
116					<td class="text">{$item.sgid|truex}</td>
117					<td class="text">{$item.sticky|truex}</td>
118					<td class="text">{$item.ur|truex}{$item.uw|truex}{$item.ux|truex}</td>
119					<td class="text">{$item.gr|truex}{$item.gw|truex}{$item.gx|truex}</td>
120					<td class="text">{$item.or|truex}{$item.ow|truex}{$item.ox|truex}</td>
121				</tr>
122			{/foreach}
123
124			<tr>
125				<th colspan="16">{tr}World writable files or directories{/tr}</th>
126			</tr>
127			{foreach from=$worldwritable key=key item=item}
128				<tr>
129					<td class="url">{$key}</td>
130					<td class="text">{$item.t}</td>
131					<td class="text">{$item.u}</td>
132					<td class="text">{$item.g}</td>
133					<td class="text">{$item.suid|truex}</td>
134					<td class="text">{$item.sgid|truex}</td>
135					<td class="text">{$item.sticky|truex}</td>
136					<td class="text">{$item.ur|truex}{$item.uw|truex}{$item.ux|truex}</td>
137					<td class="text">{$item.gr|truex}{$item.gw|truex}{$item.gx|truex}</td>
138					<td class="text">{$item.or|truex}{$item.ow|truex}{$item.ox|truex}</td>
139				</tr>
140			{/foreach}
141
142			<tr>
143				<th colspan="16">{tr}Files or directories the Webserver can write to{/tr}</th>
144			</tr>
145			{foreach from=$apachewritable key=key item=item}
146				<tr>
147					<td class="url">{$key}</td>
148					<td class="text">{$item.t}</td>
149					<td class="text">{$item.u}</td>
150					<td class="text">{$item.g}</td>
151					<td class="text">{$item.suid|truex}</td>
152					<td class="text">{$item.sgid|truex}</td>
153					<td class="text">{$item.sticky|truex}</td>
154					<td class="text">{$item.ur|truex}{$item.uw|truex}{$item.ux|truex}</td>
155					<td class="text">{$item.gr|truex}{$item.gw|truex}{$item.gx|truex}</td>
156					<td class="text">{$item.or|truex}{$item.ow|truex}{$item.ox|truex}</td>
157				</tr>
158			{/foreach}
159
160			<tr>
161				<th colspan="16">{tr}Strange Inodes (not file, not link, not directory){/tr}</th>
162			</tr>
163			{foreach from=$strangeinode key=key item=item}
164				<tr>
165					<td class="url">{$key}</td>
166					<td class="text">{$item.t}</td>
167					<td class="text">{$item.u}</td>
168					<td class="text">{$item.g}</td>
169					<td class="text">{$item.suid|truex}</td>
170					<td class="text">{$item.sgid|truex}</td>
171					<td class="text">{$item.sticky|truex}</td>
172					<td class="text">{$item.ur|truex}{$item.uw|truex}{$item.ux|truex}</td>
173					<td class="text">{$item.gr|truex}{$item.gw|truex}{$item.gx|truex}</td>
174					<td class="text">{$item.or|truex}{$item.ow|truex}{$item.ox|truex}</td>
175				</tr>
176			{/foreach}
177
178			<tr>
179				<th colspan="16">{tr}Executable files{/tr}</th>
180			</tr>
181			{foreach from=$executable key=key item=item}
182				<tr>
183					<td class="url">{$key}</td>
184					<td class="text">{$item.t}</td>
185					<td class="text">{$item.u}</td>
186					<td class="text">{$item.g}</td>
187					<td class="text">{$item.suid|truex}</td>
188					<td class="text">{$item.sgid|truex}</td>
189					<td class="text">{$item.sticky|truex}</td>
190					<td class="text">{$item.ur|truex}{$item.uw|truex}{$item.ux|truex}</td>
191					<td class="text">{$item.gr|truex}{$item.gw|truex}{$item.gx|truex}</td>
192					<td class="text">{$item.or|truex}{$item.ow|truex}{$item.ox|truex}</td>
193				</tr>
194			{/foreach}
195		</table>
196	</div>
197
198	{remarksbox type="tip" title="{tr}Info{/tr}"}
199		{tr}What to do with these check results?{/tr}
200		<br>
201		{tr}Set User ID (suid) files{/tr}
202		<br>
203		{tr}Suid files are not part of tiki and there is no need for suid files in a webspace. Sometimes intruders that gain elevated privileges leave suid files to "keep the door open".{/tr}
204		<br>
205		{tr}World writable files or directories{/tr}
206		<br>
207		{tr}In some environments where you cannot get root or have no other possibilities, it is unavoidable to let your webserver write to some tiki directories like or "temp". In any other case this is not needed. A bug in a script or other users could easily put malicious scripts on your webspace or upload illegal content.{/tr}
208		<br>
209		{tr}Files or directories the Webserver can write to{/tr}
210		<br>
211		{tr}The risk is almost the same in shared hosting environments without proper privilege separation (suexec wrappers). The webserver has to be able to write to some directories like "temp". Review the tiki install guide for further information.{/tr}
212		<br>
213		{tr}Strange Inodes (not file, not link, not directory){/tr}
214		<br>
215		{tr}Inodes that are not files or directories are not part of tiki. Review these Inodes!{/tr}
216		<br>
217		{tr}Executable files{/tr}
218		<br>
219		{tr}Setting the executable bit can be dangerous if the webserver is configured to execute cgi scripts from that directories. If you use the usual php module (for apache) then php scripts and other files in tiki do not need to have the executable bit. You can safely remove the executable bit with chmod.{/tr}
220		<br>
221	{/remarksbox}
222{/if}
223