From 03263c0dc9553fc40bd2f34dcb545a08e8f15a6f Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Thu, 13 Jun 2019 09:03:55 +0200 Subject: [PATCH] much better installation instructions added security considerations --- doc/README.Install.md | 66 ++++++++++++++++++++++++++++++------------- 1 file changed, 46 insertions(+), 20 deletions(-) diff --git a/doc/README.Install.md b/doc/README.Install.md index 5aec87904..bca601437 100644 --- a/doc/README.Install.md +++ b/doc/README.Install.md @@ -36,28 +36,54 @@ QUICKSTART =========== The fastes way to get SeedDMS running is by unpacking the archive -`seeddms-quickstart-x.y.z.tar.gz` into your webservers document root. +`seeddms-quickstart-x.y.z.tar.gz` on your webserver. +Let's assume you use seeddms-quickstart-5.1.10.tar.gz. It will create a new directory `seeddms51x` containing everything you -need to run SeedDMS with sqlite3. Make sure that the subdіrectory -`seeddms51x/data` -and the configuration file `seeddms51/conf/settings.xml` is writeable -by your web server. All other directories must just be readable by your -web server. In the next step you need to adjust -the configuration file in `seeddms51/www/conf/settings.xml`. If you -are not afraid of xml files, then open it in your favorite text editor -and search for `/home/wwww-data`. Replace that part in any path found -with your document root. Alternatively, you can open the installer -with a browser at http://your-domain/seeddms51x/install/ -It will first ask to unlock the installer by creating a file -`ENABLE_INSTALL_TOOL` in the diretory `seeddms51/www/conf/`. Change all -paths by replacing `/home/wwww-data` with your document root. Do not change -the httpRoot. Leave it at '/' and set your DocumentRoot in your web server -to the `www` directory in `seeddms51x`. Do not set the DocumentRoot to -the `seeddms51x` directory, because this will allow anybody to access -your `data` and `conf` directory. This is a major security risk. Once done, -save it, remove the file `ENABLE_INSTALL_TOOL` and point your browser to -http://your-domain/seeddms51x/. +need to run SeedDMS with sqlite3. +Either let the document root of your web server point to the directory `www` +below `seeddms51x` or add an alias. For apache this could be like +Alias /seeddms51x //seeddms51x/www + +Do not set the DocumentRoot to +the `seeddms51x` directory, because this will allow anybody to access +your `data` and `conf` directory. This is a major security risk. + +Make sure that the subdіrectory `seeddms51x/data` and the configuration file +`seeddms51/conf/settings.xml` is writeable by your web server. All other +directories must just be readable by your web server. + +In the next step you need to adjust the configuration file in +`seeddms51x/conf/settings.xml`. Open the file in your favorite text editor +and search for `/home/wwww-data`. Replace that part in any path found with your +base directory where you placed seeddms51x (e.g. /var/www/html/seeddms51x). +Alternatively, you can open the installer with a browser at +http://your-domain/install (if the document root points to +`seeddms51x/www`) or http://your-domain/seeddms51x/install/ (if you have +set an alias like described above). + +It will first ask to unlock the installer by creating a file +`ENABLE_INSTALL_TOOL` in the diretory `seeddms51x/conf/`. Change all paths by +replacing `/home/wwww-data` with your base directory where you put seeddms51x. +Set httpRoot to '/' (if the document root points to`seeddms51x/www`) or +'/seeddms51x' (if you have set an alias like described above). + +Once your configuration is done, +save it, remove the file `ENABLE_INSTALL_TOOL` and point your browser to +http://your-domain/ or http://your-domain/seeddms51x. + +SECURITY CONSIDERATIONS +======================= + +A crucial point when setting up SeedDMS is the propper placement of the +data directory. Do not place it below your document root as +configured in your web server! If you do so, there is good change that +attackers can easily access your documents with a regular browser. +If you can't place the data directory outside of document root, that either +restrict access to it with an appropriate .htaccess file or/and change +the `contentOffsetDir` in `settings.xml` to something random, but ensure it +is still a valid directory name. If you change contentOffsetDir then +do not forget to move `data/1048576` to `data/`. UPDATING FROM A PREVIOUS VERSION OR SEEDDMS =============================================