much better installation instructions added security considerations

doc/README.Install.md

@@ -36,28 +36,54 @@ QUICKSTART
 ===========
 
 The fastes way to get SeedDMS running is by unpacking the archive
-`seeddms-quickstart-x.y.z.tar.gz` into your webservers document root.
+`seeddms-quickstart-x.y.z.tar.gz` on your webserver.
+Let's assume you use seeddms-quickstart-5.1.10.tar.gz.
 It will create a new directory `seeddms51x` containing everything you
-need to run SeedDMS with sqlite3. Make sure that the subdіrectory
-`seeddms51x/data`
-and the configuration file `seeddms51/conf/settings.xml` is writeable
-by your web server. All other directories must just be readable by your
-web server. In the next step you need to adjust
-the configuration file in `seeddms51/www/conf/settings.xml`. If you
-are not afraid of xml files, then open it in your favorite text editor
-and search for `/home/wwww-data`. Replace that part in any path found
-with your document root. Alternatively, you can open the installer
-with a browser at http://your-domain/seeddms51x/install/
-It will first ask to unlock the installer by creating a file
-`ENABLE_INSTALL_TOOL` in the diretory `seeddms51/www/conf/`. Change all
-paths by replacing `/home/wwww-data` with your document root. Do not change
-the httpRoot. Leave it at '/' and set your DocumentRoot in your web server
-to the `www` directory in `seeddms51x`. Do not set the DocumentRoot to
-the `seeddms51x` directory, because this will allow anybody to access
-your `data` and `conf` directory. This is a major security risk. Once done,
-save it, remove the file `ENABLE_INSTALL_TOOL` and point your browser to
-http://your-domain/seeddms51x/.
+need to run SeedDMS with sqlite3.
+Either let the document root of your web server point to the directory `www`
+below `seeddms51x` or add an alias. For apache this could be like
 
+Alias /seeddms51x /<some directory>/seeddms51x/www
+
+Do not set the DocumentRoot to
+the `seeddms51x` directory, because this will allow anybody to access
+your `data` and `conf` directory. This is a major security risk.
+
+Make sure that the subdіrectory `seeddms51x/data` and the configuration file
+`seeddms51/conf/settings.xml` is writeable by your web server. All other
+directories must just be readable by your web server.
+
+In the next step you need to adjust the configuration file in
+`seeddms51x/conf/settings.xml`. Open the file in your favorite text editor
+and search for `/home/wwww-data`. Replace that part in any path found with your
+base directory where you placed seeddms51x (e.g. /var/www/html/seeddms51x).
+Alternatively, you can open the installer with a browser at
+http://your-domain/install (if the document root points to
+`seeddms51x/www`) or http://your-domain/seeddms51x/install/ (if you have
+set an alias like described above).
+
+It will first ask to unlock the installer by creating a file
+`ENABLE_INSTALL_TOOL` in the diretory `seeddms51x/conf/`. Change all paths by
+replacing `/home/wwww-data` with your base directory where you put seeddms51x.
+Set httpRoot to '/' (if  the document root points to`seeddms51x/www`) or
+'/seeddms51x' (if you have set an alias like described above).
+
+Once your configuration is done,
+save it, remove the file `ENABLE_INSTALL_TOOL` and point your browser to
+http://your-domain/ or http://your-domain/seeddms51x.
+
+SECURITY CONSIDERATIONS
+=======================
+
+A crucial point when setting up SeedDMS is the propper placement of the
+data directory. Do not place it below your document root as
+configured in your web server! If you do so, there is good change that
+attackers can easily access your documents with a regular browser.
+If you can't place the data directory outside of document root, that either
+restrict access to it with an appropriate .htaccess file or/and change
+the `contentOffsetDir` in `settings.xml` to something random, but ensure it
+is still a valid directory name. If you change contentOffsetDir then
+do not forget to move `data/1048576` to `data/<your random name>`.
 
 UPDATING FROM A PREVIOUS VERSION OR SEEDDMS
 =============================================