Moodle
  1. Moodle
  2. MDL-30728

'Dataroot location is not secure' mesage doesn't let me install

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Not a bug
    • Affects Version/s: 2.2
    • Fix Version/s: None
    • Component/s: Installation
    • Labels:
      None
    • Testing Instructions:
      Hide

      The important bit is a symlink and where it links to:
      Under Apache webroot (in my case it's /var/www/html), I have a symlink made by:
      ln -s /share
      and my moodle folder is /share/moodle2
      (so I want to have $CFG->wwwroot = 'http://192.168.56.101/share/moodle2).

      I think: That makes is_dataroot_insecure() - the first 24 lines of it - think that my Apache webroot is same as my Unix / volume, and since the dataroot folder is somewhere under Unix /, it thinks that the dataroot folder (/share/moodle2) is exposed under my Apache webroot. Which is incorrect, since I use symlinks.

      It's not odd to have Apache web path (in my case /share/moodle2) same as the respective webroot absolute path, if I have a need for it. I'm the admin of the server and I know it's secure.

      2.2 (Build: 20111205)
      Linux localhost.localdomain 2.6.32-131.21.1.el6.i686 #1 SMP Tue Nov 22 18:21:07 GMT 2011 i686
      Apache/2.2.15 (CentOS)
      PHP/5.3.3
      CentOS 6, SELinux turned off

      Installation screen:
      web address: http://192.168.56.101/share/moodle2
      moodle dir: /share/moodle2
      data dir: any that I've tried fails (/datamoodle2, /data/moodle2), no matter what permissions, no matter whether it exists or not

      Show
      The important bit is a symlink and where it links to: Under Apache webroot (in my case it's /var/www/html), I have a symlink made by: ln -s /share and my moodle folder is /share/moodle2 (so I want to have $CFG->wwwroot = 'http://192.168.56.101/share/moodle2). I think: That makes is_dataroot_insecure() - the first 24 lines of it - think that my Apache webroot is same as my Unix / volume, and since the dataroot folder is somewhere under Unix /, it thinks that the dataroot folder (/share/moodle2) is exposed under my Apache webroot. Which is incorrect, since I use symlinks. It's not odd to have Apache web path (in my case /share/moodle2) same as the respective webroot absolute path, if I have a need for it. I'm the admin of the server and I know it's secure. 2.2 (Build: 20111205) Linux localhost.localdomain 2.6.32-131.21.1.el6.i686 #1 SMP Tue Nov 22 18:21:07 GMT 2011 i686 Apache/2.2.15 (CentOS) PHP/5.3.3 CentOS 6, SELinux turned off Installation screen: web address: http://192.168.56.101/share/moodle2 moodle dir: /share/moodle2 data dir: any that I've tried fails (/datamoodle2, /data/moodle2), no matter what permissions, no matter whether it exists or not
    • Workaround:
      Hide

      install.php calls is_dataroot_insecure() from lib/adminlib.php. The way it's called (with the parameter $fetchtest having the default value false) and the logic of that function seems very erratic, magic and sick.\

      In this instance, because of the parameter the functions doesn't perform much of a check, and it always returns non-zero (for me), so it doesn't let me install in the situation described in 'Testing instructions'.

      Workaround: Either make is_dataroot_insecure() detect and understand symlinks - which will make it even less readable. Or: instead of stopping the install process, let /install.php just show a warning when that function returns INSECURE_DATAROOT_WARNING. Currently it stops the install process, despite what the name of that value says - because currently /install.php checks whether the return value of that function is non-zero.

      Fix: /install.php around line 310 change it to:
      } else if ( ($datarootinsecure=is_dataroot_insecure()) && $datarootinsecure!=INSECURE_DATAROOT_WARNING )

      { $hint_dataroot = get_string('pathsunsecuredataroot', 'install'); $config->stage = INSTALL_PATHS; }

      You may want to show a warning in that case, but that involves much more work.

      Show
      install.php calls is_dataroot_insecure() from lib/adminlib.php. The way it's called (with the parameter $fetchtest having the default value false) and the logic of that function seems very erratic, magic and sick.\ In this instance, because of the parameter the functions doesn't perform much of a check, and it always returns non-zero (for me), so it doesn't let me install in the situation described in 'Testing instructions'. Workaround: Either make is_dataroot_insecure() detect and understand symlinks - which will make it even less readable. Or: instead of stopping the install process, let /install.php just show a warning when that function returns INSECURE_DATAROOT_WARNING. Currently it stops the install process, despite what the name of that value says - because currently /install.php checks whether the return value of that function is non-zero. Fix: /install.php around line 310 change it to: } else if ( ($datarootinsecure=is_dataroot_insecure()) && $datarootinsecure!=INSECURE_DATAROOT_WARNING ) { $hint_dataroot = get_string('pathsunsecuredataroot', 'install'); $config->stage = INSTALL_PATHS; } You may want to show a warning in that case, but that involves much more work.
    • Affected Branches:
      MOODLE_22_STABLE
    • Rank:
      33604

      Description

      'Dataroot location is not secure' mesage doesn't let me install when using symlinks

        Activity

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: