Defining a minimal / restricted installation footprint

13 views
Skip to first unread message

Ben Martin

unread,
May 7, 2019, 8:53:26 AM5/7/19
to SimpleSAMLphp developers
Hi,

  I am the maintainer of the FileSender project which uses simplesamlphp for authentication. A recent security audit made some recommendations about possible improvements and some of these also relate to how simplesamlphp was setup on a specific server. One recommendation was to limit user access to things that are not required for system functionality, which brings me to this message.

  Is there is a recommended installation procedure for a minimal exposed footprint of simplesamlphp? I am looking at version simplesamlphp-1.17.2. There are some very useful pages such as module.php/sanitycheck/ which one might like to use but not necessarily expose to the people who might be using a web site that authenticates using simplesamlphp.

Before I start a trial and error of disabling some of the following modules I thought I would ask on the list in the hopes that others have gone before me and might offer some advice about limiting what is offered by simplesamlphp.

For simplesamlphp-1.17.2 I see:
modules]$ find . -name "*enable"
./ldap/default-enable
./admin/default-enable
./authorize/default-enable
./multiauth/default-enable
./portal/default-enable
./saml/default-enable
./sanitycheck/default-enable
./core/default-enable

I have done some tracing of resource loading during login and logout locally and see some requests for files such as
/simplesaml/resources/script.js
/simplesaml/resources/default.css
/simplesaml/resources/icons/favicon.ico

Though looking in www I see the admin directory and in www/resources some files such as an older version of jquery  which I may look to deny via apache configuration. Unfortunately I am only testing my changes locally using a fixed example-userpass setup in my authsources.php which makes it harder for me to give recommendations to people who are setting up FileSender, and by extension simplesamlphp, on their server.

Any recommendations are very welcome.

Reply all
Reply to author
Forward
0 new messages