Main Menu

Popular Pages

ImpressCMS proudly uses SourceForge
ImpressCMS on Ohloh.net
[This page]  
Tags: Development   Install   Trust Path  

Trust Path

ImpressCMS introduces the concept of a trust path, which was originally introduced by GIJOE in all his modules. The idea of a trust path is to offer better protection for files, folders and data which are more sensitive. Traditionally, all the files of a PHP application reside in a folder in the web root of a server. By being in the web root, all these files are easily accessible with a web browser. For example: http://www.mysite.com/some_important_data.php can be accessed in a single click. Now, if this file holds sensitive information and has not been properly protected, the information could be accessed. One way to overcome this is to move this file outside of the web root, so it will still be accessible by PHP scripts, but not directly with a web browser. This is what the trust path is used for.

So concretely, what does it look like?

Let's say you have uploaded ImpressCMS on http://www.yoursite.com, and the physical path for this site is /home/yoursite/public_html/ then everything that is inside public_html/ would be accessible via a web browser. In this case, the recommended trust path location would be /home/yoursite/trust_pathabcdem where "abcdem" would be a random string. Why a random string? Again, because we want to make it as difficult as possible for any malicious hacker to discover the real location of the trust path.

What is it used for?

The main file of the ImpressCMS application is, as you might have guessed, called mainfile.php. This file holds the keys to the database and other important information. The very first reason why we are using a trust path folder is to hold this sensiitive information. The ImpressCMS installer will write the database access information in a file, with a pretty long and random name, and store it in the trust path folder! So the very file holding the keys to your site :

  • has a random name very hard to find
  • is stored in a folder, also with a random name, still very hard to find
  • and this folder is stored outside the web root, not accessible by a web browser

The ImpressCMS Installation Wizard

Now that we understand what a trust path folder is, let's see how it is set up in the ImpressCMS installation wizard. The trust path configuration is done in Step 4 of the installation wizard, the Path settings step. For demonstration purposes, I have uploaded ImpressCMS to http://inboxfactory.net/impresscms_1.0/. Let's have a look at the step 4 of the installation wizard.

  • The Physical path of this install is /home/inboxfac/public_html/impresscms_1.0
  • The proposed trust path folder is /home/inboxfac/trust_pathe2307, which is outside the web root, and has random name
  • the Web location is http://inboxfactory.net/impresscms_1.0

The installer proposed a trust path location, which you can change. In fact, in some environment, you will not be able to create the trust path folder in the location proposed by the installer. Let's have a look at different situations.

The trust path location is OK with me

Then you simply need to click on th Create Trust Path button. The installer will attempt to create the folder in the location specified. If no errors are displayed, everything worked well and you can go on with the next step.

It was not possible to create the trust path

It is possible that the script will not be able to create the folder in the specified location. This is because the script actually does not have the proper permissions to create the folder in that specific location. In that case, simply connect to your site via FTP and manually create the folder where you want it. Then, make sure that the Trust path textbox in the installer reflects the path of the folder you have created. Also, please make sure that the folder you have created is writable (777 on linux servers). Then, simply hit the Refresh button. You will then be able to continue to next step.

I cannot create a folder outside of the web root

Again, this is possible in some environment. Although we recommend that the trust path folder be created outside of the web root for the reasons explained earlier, it still better to have a trust path folder in the web root, then no trust path folder at all! Why? Simply because, again, what we are trying to achieve is to prevent any malicious hackers to find out where the database access information are located. In that case, make sure to use a very hard to find name for your trust path folder. When you have created this folder using FTP, make sure that the Trust path textbox in the installer reflects the path of the folder you have created, and make sure this folder is writable by the server (777 on linux servers).

Last modified on 2012/2/24 by fiammybe
This page was created on 2010/11/11 by skenow
This page has been viewed 2989 time(s)

Comments
The comments are owned by the poster. We aren't responsible for their content.

Search


Advanced Search

Tag Cloud

Administration Configuration Development Docblock Documentation Feature Guidelines Howto Incomplete Installation Module Outdated Preferences Release Notes Remove StartPage SVN System System Administration Team Template Theme Tutorial User Guide UserGuide
ImpressCMS proudly uses SourceForge
ImpressCMS on Ohloh.net