Protecting filestore from direct remote access

[Vincent de Grandpré]

Hi,

Is there a way that we can completely hide the filestore from the web server so that no browser could navigate in it or get unauthorized access to resources?

Even if the resources are in a complex tree, their permanent nature makes this reality a problematic security issue.

Putting it out of Apache Web Server and pointing $storagedir to, i.e. /usr/local/filestore, and giving permissions to www-data renders the thumbnails and previews unreadable, breaking functionality. Well, download will work, but no previews or thumbnails will be available.

Having a symlink to filestore inside the web server gives access to resources as well.

In the era of bots and cyberhacking, we surely want to avoid exposing data like that!

Any thoughts?

Best.
Vincent

[Axel Dörfler]

On Thu, Sep 4, 2014 at 5:28 PM, Vincent de Grandpré
<vincent.d...@gmail.com> wrote:
> Is there a way that we can completely hide the filestore from the web server
> so that no browser could navigate in it or get unauthorized access to
> resources?

You can use the ref_urls plugin for this. Just enable it, and all data
is checked for authorization before access (the filestore doesn't need
to be accessible for world anymore then).
Please note that the thumbnails are still unprotected by default for
performance reasons (you can change this in its configuration,
however).

Bye,
Axel.

[Vincent de Grandpré]

Thank you sir!

Any clue on where I can protect the thumbnails using config ?

Best,

Vincent

--
ResourceSpace: Open Source Digital Asset Management
http://www.resourcespace.org
---
You received this message because you are subscribed to a topic in the Google Groups "ResourceSpace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/resourcespace/4_b1CdEFdgk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to resourcespac...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Axel Dörfler]

On Fri, Sep 5, 2014 at 3:59 PM, Vincent de Grandpré
<vincent.d...@gmail.com> wrote:
> Any clue on where I can protect the thumbnails using config ?

The usual, in plugins/ref_urls/config/config.php. Just commenting that
line should be enough.

Bye,
Axel.

[Vincent de Grandpré]

Thanks Axel.

Well, that didn't fix the issue. Resources are still available publicly and if I move the filestore outside the web server root the thumbnails and previews are not found.

Other clues ?

Bye,
   Axel.

[Axel Dörfler]

On Fri, Sep 5, 2014 at 4:35 PM, Vincent de Grandpré
<vincent.d...@gmail.com> wrote:
> Well, that didn't fix the issue. Resources are still available publicly and
> if I move the filestore outside the web server root the thumbnails and
> previews are not found.

Not without any further info. I know for sure that it does work, as it
does its job just fine at a number of installations over here.

The links to the resources change due to the plugin. If you can still
use the old links to get to the data, your filestore is still readable
from the network for no good reason. If you can still see the data
with the new link, you are logged in :-)

Bye,
Axel.

[Vincent de Grandpré]

Thanks again Axel.

By direct access I meant... I could refer to the filestore directly.

One example is here : http://dev.footage2go.com/filestore/1/0/0_c8d67909e37f87f/100_fc9ff13e3740576.jpg

.. Not logged-in and I shall not have access. Moving the filestore outside the web server root breaks the thumbnails and previews.

So I don't know what to do.

Best,

Vincent

Bye,
   Axel.

[Axel Dörfler]

On Fri, Sep 5, 2014 at 6:17 PM, Vincent de Grandpré
<vincent.d...@gmail.com> wrote:
> By direct access I meant... I could refer to the filestore directly.
> One example is here :
> http://dev.footage2go.com/filestore/1/0/0_c8d67909e37f87f/100_fc9ff13e3740576.jpg
>
> .. Not logged-in and I shall not have access. Moving the filestore outside
> the web server root breaks the thumbnails and previews.

As I said previously, you still have to manually change the access
privileges for the filestore folder. If your server is running on a
Unix derivate, a "chmod 700 filestore" should do the trick.
You can also simply move it some place else, and adapt the $storagedir
variable accordingly.

Bye,
Axel.

[Vincent de Grandpré]

Thanks Axel, I agree, but doing so breaks the thumbnails and previews on our installation the way it is.

Even with ref_urls plugin, the files will still have to be referred from 'inside' the web server file structure if the system has to show it (either thumbnail or video previews).

Do you know a way of re-creating the preview files or to have them rendered to the user while the filestore resides in anther directory?

I've placed the filestore outside the root of the web server. Permissions ownership is to www-data, chmod is 777 recursively on sub-folders.

Best,

Vincent

Bye,
   Axel.

[BRUDmon]

Hi Vincent,

It's just a guess but do you happen to have "$direct_download_noauth=" set to "true"?

[Vincent de Grandpré]

Hi,

Did not change a thing. Direct access is still feasible !

http://dev.footage2go.com/filestore/1/4/3/5_f8f5313a46f40ee/1435_alt_107_c71be698684e7d6.mp4

This is something big, as serious customers will need protected filestore.
I meant, due to the persistent nature of the medias in RS platform, it will be feasible for one to grab the files.

There is a clear heuristic as where the resource ID is used as the path, with last digit followed by an underscore then a string of 15 hex characters (15^16 possibilities), followed by the resource ID, underscore, 'alt' string, a number and another scramble key.

I KNOW there is ways a sysadmin could prevent on to brute-force a resource, but I would prefer a software solution that has the filestore outside his web folder.

This is a risk with a small likelyhood, but serious clients, like the banking industry, will reject a solution than exposes the filestore like that.

[re...@rbkphoto.com]

How is your Apache/nginx configured. Does the web user have access to browse the filestore Index via a browser. Check your web server conf file for any permissive Options, Indexes, Directory listing settings.

[pathways.ge]

Sorry for digging up an old thread. See it as a reference for later ;-)
If you are running your RS on Apache:

- right inside the filestory directory, create the file .htaccess
- put in this file the following line: Options -Indexes

Nginx does something with:
autoindex off;
in the config file for the webserver but since I don't have Nginx, I cannot test it.

These directives tell the webserver to disallow browsing in the filestore directory.

Cheers,
Jakobi

[Warwick Barnes]

G'day,

I've been trying to remove direct access to the filestore also, which requires firstly making sure ResourceSpace doesn't directly use filestore links in its interface but always serves images through a PHP script that can be authenticated. I found the following option in the ResourceSpace config.default.php

# Experimental. Always use 'download.php' to send thumbs and previews. Improved security as 'filestore' web access can be disabled in theory.
$thumbs_previews_via_download = false;

This looks like the perfect option. I tried setting it to true but it doesn't seem to make any difference. Does anyone know how this works?

Cheers,

Warwick

[Allison Stec]

I’m not sure what version you’re using, Warwick, but the most recent release only shows that config in the config file…there’s no code that actually uses the option.

This might be due to a different config option being available: $hide_real_filepath

If you have this in your config.default.php file then you should consider trying this option instead.

Allison Stec

--

ResourceSpace: Open Source Digital Asset Management

http://www.resourcespace.com
---
You received this message because you are subscribed to the Google Groups "ResourceSpace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to resourcespac...@googlegroups.com.