Silent log is written in folder, readable from web

4 views
Skip to first unread message

Alexander Obuhovich

unread,
Dec 7, 2010, 2:43:42 PM12/7/10
to In-Portal Development
We have silent log feature. This will write down all errors to the file, no matter what PHP error logging settings are.

Problem is that log is created in document root folder, which is accessible from web.

We should:
  • have ability to specify, where silent log is created
  • set 777 rights to him, since it could be used by cron script, that runs under "root" user.

--
Best Regards,

http://www.in-portal.com
http://www.alex-time.com

Phil -- wbtc.fr --

unread,
Dec 7, 2010, 4:03:35 PM12/7/10
to in-por...@googlegroups.com
I like this idea :-)

2010/12/7 Alexander Obuhovich <aik....@gmail.com>

Dmitry Andrejev

unread,
Dec 7, 2010, 4:18:17 PM12/7/10
to in-por...@googlegroups.com
Hi guys,


Yes, we MUST have silent log easily activated.

Here is what can be done about the Folder which will be at use for everyone:

1. We create new system/logs folder - will be used as a DEFAULT place (to be added to Distro).
2. We completely CLOSE web access to it (via .htaccess)
3. We update all other places that use Logging to point to user that.
4. We move DEBUG files to be created this new folder.

What you think?


DA

--


Best regards,

Dmitry A.

Phil -- wbtc.fr --

unread,
Dec 8, 2010, 6:06:08 AM12/8/10
to in-por...@googlegroups.com
I think we should be able to access easily logs from another place than downloading/using command line.

Even for power users like us, sometime we just need to have a look at logs, and we can solve the problem in admin, modifying theme or any other files.
I we could have a new menu in Tools, were we could see logs in reverse order (newest line first), with ability to give number of lines to display. (Yes, just like  tail  do)

Is it too much? ^-^

2010/12/7 Dmitry Andrejev <dand...@gmail.com>

Alexander Obuhovich

unread,
Dec 8, 2010, 1:47:17 PM12/8/10
to in-por...@googlegroups.com
Web-based log access is bad for security and it's hosting problem to allow access to logs, not In-Portal's.

Silent log is feature, that is rarely used by developers and regular users even don't know about it.

Usually safest place to create a log is outside document root.

so, using define('SILENT_LOG', '../logs/silent.log'); instead of define('SILENT_LOG', 1); in debug.php file will help.

I don't think, that we should move "debug_*" files somewhere, since they are already denied by .htaccess based on their current location.

Phil -- wbtc.fr --

unread,
Dec 8, 2010, 2:44:00 PM12/8/10
to in-por...@googlegroups.com
yup, sounds good :-)

2010/12/8 Alexander Obuhovich <aik....@gmail.com>

S.G.

unread,
Dec 9, 2010, 3:10:50 AM12/9/10
to In-Portal Development Team
Yes, I think defining location via constant is the best solution for
this case. In this way, all responsibility is on developer.


On Dec 8, 8:47 pm, Alexander Obuhovich <aik.b...@gmail.com> wrote:
> Web-based log access is bad for security and it's hosting problem to allow
> access to logs, not In-Portal's.
>
> Silent log is feature, that is rarely used by developers and regular users
> even don't know about it.
>
> Usually safest place to create a log is outside document root.
>
> so, using *define('SILENT_LOG', '../logs/silent.log');* instead of
> *define('SILENT_LOG',
> 1);* in debug.php file will help.
>
> I don't think, that we should move "debug_*" files somewhere, since they are
> already denied by .htaccess based on their current location.
>
> On Wed, Dec 8, 2010 at 1:06 PM, Phil -- wbtc.fr -- <p...@wbtc.fr> wrote:
>
>
>
> > I think we should be able to access easily logs from another place than
> > downloading/using command line.
>
> > Even for power users like us, sometime we just need to have a look at logs,
> > and we can solve the problem in admin, modifying theme or any other files.
> > I we could have a new menu in Tools, were we could see logs in reverse
> > order (newest line first), with ability to give number of lines to display.
> > (Yes, just like  tail  do)
>
> > Is it too much? ^-^
>
> > 2010/12/7 Dmitry Andrejev <dandre...@gmail.com>
>
> > Hi guys,
>
> >> Yes, we MUST have silent log easily activated.
>
> >> Here is what can be done about the Folder which will be at use for
> >> everyone:
>
> >> 1. We create new system/logs folder - will be used as a DEFAULT place (to
> >> be added to Distro).
> >> 2. We completely CLOSE web access to it (via .htaccess)
> >> 3. We update all other places that use Logging to point to user that.
> >> 4. We move DEBUG files to be created this new folder.
>
> >> What you think?
>
> >> DA
>
> >> On Tue, Dec 7, 2010 at 3:03 PM, Phil -- wbtc.fr -- <p...@wbtc.fr> wrote:
>
> >>> I like this idea :-)
>
> >>> 2010/12/7 Alexander Obuhovich <aik.b...@gmail.com>
>
> >>> We have silent log feature. This will write down all errors to the file,
> >>>> no matter what PHP error logging settings are.
>
> >>>> Problem is that log is created in document root folder, which is
> >>>> accessible from web.
>
> >>>> We should:
>
> >>>>    - have ability to specify, where silent log is created
> >>>>    - set 777 rights to him, since it could be used by cron script, that

Dmitry Andrejev

unread,
Dec 9, 2010, 11:33:24 AM12/9/10
to in-por...@googlegroups.com
Ok, I agree with you guys - file name can be specified via Constant.

I suppose Web Requests should work the same way?

What about location of both Logs and protecting it?

I propose the following:

1. make default (in DBG) log file names (for both Web and PHP) to start with DOT (.) so it's considered as system by Apache an won't be accessible at least

2. I have checked on Debug TXT files - currently they are accessible via Web (you just need to get a Session number which is NOT that hard if automated):

system/cache/debug_@104428589@.txt

Here we can do 1 of 2:

a. Rename all debug_@104428589@.txt to start with DOT

or 

b. add .HTACCESS to system/cache folder restricting access to all .TXT or some submatch.

I am for a) option since less changes more stable results.


What you think?


DA

Phil -- wbtc.fr --

unread,
Dec 9, 2010, 12:12:23 PM12/9/10
to in-por...@googlegroups.com
if debug logs are moving to the same protected directory as silent logs, we won't have to worry about preventing their access from cache, and we also won't have to modify our cleaning agent to look for this specific files in cache.
Cache folder should remain for files to be accessed from web, and logs from log files not viewable from web.

What do you think?

2010/12/9 Dmitry Andrejev <dand...@gmail.com>

Alexander Obuhovich

unread,
Dec 9, 2010, 12:55:38 PM12/9/10
to in-por...@googlegroups.com
We can deny any web access to /system/cache folder, since we only include data from there. We will only allow .css and .js compressed files to be read from there.

This is "b" variant from Dmitry's post, since "." looks very strange.

Dmitry Andrejev

unread,
Dec 9, 2010, 1:00:53 PM12/9/10
to in-por...@googlegroups.com
Well, there is a problem with adding an HTACCESS to that cache folder
since we would need to make sure it's never delete while it can (by
user or system).

"." is widely used by everyone including .SVN for example - I am
really for making it system/cache/.debug_@104428589@.txt which totaly
make sense - debug files are SYSTEM aren't they?


DA

Alexander Obuhovich

unread,
Dec 9, 2010, 2:47:04 PM12/9/10
to in-por...@googlegroups.com
Still not convinced. I don't link files, that are starting with ".", except for ".htaccess".

I don't like mass moving or mass renaming either.

I suppose "/system" folder is created for writable files. Actually both system and non-system files are created there.

I propose, that create subfolder (or use existing folder) under "/system" folder, which:
  • won't be accessible from web (even folder name could start with ".", will this work)
  • only system files will be placed there.
We can ask In-Portal to create "deny all" .htaccess each time he notices, that it's missing in that "system only" folder.

Dmitry Andrejev

unread,
Dec 9, 2010, 3:20:33 PM12/9/10
to in-por...@googlegroups.com
Yes, I like the idea of having one "." folder which will be closed
from Web access and initially can contain system valuable information.

I guess we should review all current folders within System/ to see how
they used and what's going to happen to them + new ones we need.

Are we agree on that?


Cheers!


DA

Phil -- wbtc.fr --

unread,
Dec 9, 2010, 3:39:46 PM12/9/10
to in-por...@googlegroups.com
actually, we don't have a separate log folder, this folder would contain all log files, debug ones, and silent log ones, and any future logs we would create.

System's subfolders are
  • backupdata
  • cache
  • downloads
  • export
  • images
  • import
  • stylesheets
  • tmp
  • user_files
all of them seems closely related to users data, .logs/ would clearly separate dev. data from user's one.


2010/12/9 Dmitry Andrejev <dand...@gmail.com>

Dmitry A.

unread,
Dec 12, 2010, 12:39:09 PM12/12/10
to in-por...@googlegroups.com
Hi,


I have gave some thoughts to this and I guess I would create a new folder under system with one of these names:

system/.restricted (my 1st choice)
system/.limited
system/.closed
system/.logs (may be too specific term)


I would place there:

1. ALL type of logs (gateways, shipping, PHP, Web requests)
2. Debug files


What do you think about this?


DA

Alexander Obuhovich

unread,
Dec 12, 2010, 12:41:12 PM12/12/10
to in-por...@googlegroups.com
I'm ok with that in case if we can ensure this folder stays non-accessible from web in all cases.

Phil -- wbtc.fr --

unread,
Dec 12, 2010, 12:53:01 PM12/12/10
to in-por...@googlegroups.com
/system/.logs is close to terms we can find in other systems, I was
and I'm still for it.

Debug files are also "debug logs", it fits here :)

2010/12/12 Alexander Obuhovich <aik....@gmail.com>:

Dmitry A.

unread,
Dec 12, 2010, 1:00:42 PM12/12/10
to in-por...@googlegroups.com
Hi Phil,


.logs it is a limited terms which means we can't really put anything else that we might need to hide from Web access there.

.restricted - covers it all.


DA.

Phil -- wbtc.fr --

unread,
Dec 12, 2010, 1:04:24 PM12/12/10
to in-por...@googlegroups.com
Hi Dmitry,

that's right, but other things needed to be hidden and which are not
logs are already protected, isn't it?
I mean that I can't imagine (maybe I'm wrong), which future type of
data would need to be hidden and wouldn't have another place to be and
would't be a log :-)


2010/12/12 Dmitry A. <dand...@gmail.com>:

Dmitry A.

unread,
Dec 12, 2010, 1:15:45 PM12/12/10
to in-por...@googlegroups.com
Hi Phil, 


You'll be surprised, but we want to have a single folder which 100% hidden from Web access and can store anything which is why .restricted is the best choice so far.

Also, one more note - Debug output is not a log too :)


DA

Phil -- wbtc.fr --

unread,
Dec 12, 2010, 1:19:22 PM12/12/10
to in-por...@googlegroups.com
ok about storing anything here, even if I don't see what else could be there.

we don't have the same definition of "logs": for me a log is a file
about something in the past, debug output is in this case for me :)

2010/12/12 Dmitry A. <dand...@gmail.com>:

Phil -- wbtc.fr --

unread,
Dec 12, 2010, 2:40:33 PM12/12/10
to in-por...@googlegroups.com
notice: it seems that it's impossible to create a folder's name
starting with a dot in windows

2010/12/12 Phil -- wbtc.fr -- <ph...@wbtc.fr>:

Alexander Obuhovich

unread,
Dec 12, 2010, 2:47:06 PM12/12/10
to in-por...@googlegroups.com
notice: it seems that it's impossible to create a folder's name starting with a dot in windows

Believe me, it's possible. I've created one.

Phil -- wbtc.fr --

unread,
Dec 12, 2010, 2:48:47 PM12/12/10
to in-por...@googlegroups.com
ok, then it's not possible from GUI under w7, maybe a script can
create it. I just wanted to warn about a possible difficulty for users
who want to test inportal on their local windows installation.

2010/12/12 Alexander Obuhovich <aik....@gmail.com>:

Alexander Obuhovich

unread,
Dec 12, 2010, 2:54:46 PM12/12/10
to in-por...@googlegroups.com
I don't use anything native in Windows, like Explorer and so on. I use "Total Commander" program, that has stable interface, which doesn't change a lot, like between "Windows XP" and "Windows 7".

Phil -- wbtc.fr --

unread,
Dec 12, 2010, 3:00:11 PM12/12/10
to in-por...@googlegroups.com
ok, my idea is to act like an average user, who won't have obviously
Total Commander.

We can't expect users to have any particular software, otherwise we'll
stay in a -small- closed community.


2010/12/12 Alexander Obuhovich <aik....@gmail.com>:

Dmitry A.

unread,
Dec 12, 2010, 3:08:21 PM12/12/10
to in-por...@googlegroups.com
Hi Phil,


You (or other users) won't need to create such a folder!

It will be included in the distribution (inside of system/ folder).


I think that the reason that you (other users) can't create a Folder on Windows (way less popular among PHP users) shouldn't stop us from going with .restrictred folder name which is more appropriate in this case. Folder won't be created for Regular users to work with it on daily basis - only if required.


I hope we agree on this.

DA

Phil -- wbtc.fr --

unread,
Dec 12, 2010, 3:19:13 PM12/12/10
to in-por...@googlegroups.com
no problem, if we can access it. I hope you don't plan to restrict
inportal audience to PHP users ;-)

2010/12/12 Dmitry A. <dand...@gmail.com>:

Dmitry A.

unread,
Dec 12, 2010, 3:24:15 PM12/12/10
to in-por...@googlegroups.com
Hi again Phil,


I see you have good sense of humor - this is good!

The answer is simple - everyone limits himself on it's own, while we are working to give the tool to build websites and web-applications :)


DA

Phil -- wbtc.fr --

unread,
Dec 12, 2010, 3:26:50 PM12/12/10
to in-por...@googlegroups.com
I'm happy to read you appreciate my humor :)

my goal is to extend in-portal user's limits far more than then have !


2010/12/12 Dmitry A. <dand...@gmail.com>:

Dmitry A.

unread,
Dec 13, 2010, 11:10:05 AM12/13/10
to in-por...@googlegroups.com
New task has been filed here:

947: Create new folder with restricted access from Web


DA
Reply all
Reply to author
Forward
0 new messages