Skip to first unread message
Sherry Lake
Mar 9, 2016, 9:44:32 AM3/9/16
to Dataverse Users Community
We are going "semi-live" (low key) on the 15th and want to make sure we have dealt with all security concerns.
The only thing I found is the note about running the post-install-api-block script. Anything else?
Thanks.
Sherry Lake
The only thing I found is the note about running the post-install-api-block script. Anything else?
Thanks.
Sherry Lake
Philip Durbin
Mar 9, 2016, 10:01:36 AM3/9/16
to dataverse...@googlegroups.com
The fix for https://github.com/IQSS/dataverse/issues/2838 hasn't made it into a release yet (I think it will make it into Dataverse 4.4) so setting the ":AllowSignUp" database setting to "no" or "false" doesn't work. This is warned about at http://guides.dataverse.org/en/4.2.4/installation/config.html#allowsignup . If you're planning on keeping ":AllowSignUp" as "yes" (the default), then there is no security problem.
In addition to blocking API endpoints (very important!!) http://guides.dataverse.org/en/4.2.4/installation/config.html#securing-your-installation also suggests enforcing HTTPS.
In addition to blocking API endpoints (very important!!) http://guides.dataverse.org/en/4.2.4/installation/config.html#securing-your-installation also suggests enforcing HTTPS.
In some docs I'm working on at http://guides.dataverse.org/en/2939-shib/installation/shibboleth.html#auth-modes-local-vs-remote-vs-both I mention the "BuiltinUsers.KEY" database setting. This string is necessary to create local users via API. You could delete or scramble it so it doesn't have the default value. Ensuring that "builtin-users" is in your list of blocked endpoints is even more secure.
I hope this helps. Let us know when you'd like your installation to be on the map at http://dataverse.org ! :)
Phil
--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/26c738de-278d-42bd-849e-51bda1c1d345%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Philip Durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin
Software Developer for http://dataverse.org
http://www.iq.harvard.edu/people/philip-durbin
Reply all
Reply to author
Forward
0 new messages