PageBox: presentation deployment using PHP PageBox

for
Rationale FAQ Dev site PHP version Install Security Customization Demo Distributed Application

PageBox for PHP security

Foreword

PageBox for PHP is quite powerful and therefore requires proper security measures.

In this document we focus on the security in Apache and BadBlue environments.

PageBox security

PageBox doesn!#8217;t really change the picture: If your server pages have unrestricted access to the server resources and if someone finds the way to add or modify a server page, then the security of the server is compromised.

PageBox for PHP triggers commands to install and remove presentations.

These commands are specified in inflate.pb and delete.pb.

As a bare minimum, define inflate.pb, delete.pb and the commands that you can distribute in Read-Only mode.

You can also enforce the security measures described in the PHP and Apache documentation.

PHP security

Safe mode

If you try using PageBox on an ISP/ASP your inflate and delete commands will probably not work because your ISP has configured PHP in Safe Mode.

From the PHP documentation:

"Safe Mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren!#8217;t very realistic, many people, especially ISP!#8217;s, use Safe Mode for now."

First check if Safe Mode is set with environment.php:

Many functions are restricted or disabled by safe mode. Look in the PHP documentation for their list.

If PHP is used in safe mode, exec() and the other functions executing system programs refuse to start programs that are not in safe_mode_exec_dir .

Therefore you must copy the programs used by inflate.pb and delete.pb in safe_mode_exec_dir.

Note:

On Windows, you need %SYSTEMROOT%\system32\cmd.exe to run batch files.

Repository security

Apache authentication

With Apache you need to update conf/httpd.conf.

Assuming that you installed the Pagebox repository on D:/Program Files/Apache Group/Apache/htdocs/repository you can use that definition:

<Directory "D:/Program Files/Apache Group/Apache/htdocs/repository">

AuthType Basic

AuthName PageBox

AuthUserFile "D:/Program Files/Apache Group/Apache/PageBox-users.ht"

AuthGroupFile "D:/Program Files/Apache Group/Apache/PageBox-groups.ht"

Require group PageBox

</Directory>

You create and populate D:/Program Files/Apache Group/Apache/PageBox-users.ht with the htpasswd command, for instance:

htpasswd -bc D:/Program Files/Apache Group/Apache/PageBox-users.ht admin admin

htpasswd -b D:/Program Files/Apache Group/Apache/PageBox-users.ht publisher1 publisher

htpasswd -b D:/Program Files/Apache Group/Apache/PageBox-users.ht publisher2 publisher

htpasswd -b D:/Program Files/Apache Group/Apache/PageBox-users.ht subscriber1 subscriber

htpasswd -b D:/Program Files/Apache Group/Apache/PageBox-users.ht subscriber2 subscriber

Then you create D:/Program Files/Apache Group/Apache/PageBox-groups.ht:

PageBox: admin publisher1 publisher2 subscriber1 subscriber2

Thank to the Require group PageBox statement, only users belonging to PageBox group, admin publisher1 publisher2 subscriber1 subscriber2 are allowed to query repository resources.

Restart Apache. Now when you query publisher.php, subscriber.php or admin.php you are displayed this dialog box:

Login dialog.

Enter a valid user and password belonging to PageBox group.

BadBlue authentication

Use the BadBlue Web administration. Assuming that you installed BadBlue on your machine and set the port at 1080, enter the URL http://localhost:1080/. You should get this:

Select Advanced Web server functions | Define user to create the users.

Then select Advanced Web server functions | Control Access and select the repository virtual directory:

Now when you try to access a repository page you are displayed the same login panel as above. Enter a valid user name and password.

Authorization

Only users defined in users.rep can publish presentations.

Only the user defined in adminUser.rep can administrate and display the audit log.

Configure adminUser.rep and users.rep as described in the customization guide.

Encryption

Without encryption the user and password are send on the wire in clear text.

With Apache,

  1. Install mod_SSL

  2. Configure a server certificate

Contact:support@pagebox.net
©2001-2004 Alexis Grandemange. Last modified .