Hi,
I upload files using ssh to my server and I don't want to setup a FTP server only for oxwall.
I know that some people had trouble with it because when I first installed oxwall, I searched install forum to find a solution.
I use the one I provide here since a long time and I wanted to share it for a long time so here it is.
I attached 2 files: the dirty way and the clean way.
I prefer the clean one because it could be added to oxwall main stream (that would be cool) but if you just want to do it quick and dirty, the dirty way is available for you.
I think that if enough people say it's cool, it could be added in native oxwall so if you like it, say it!
Here comes details about what I've done:
*****************************
clean way, add a setting option:
*****************************
ow_system_plugins/admin/controllers/settings.php:
v 1.5.1 (maybe earlier) -> 1.6.0
added lines: 92, 568, 569, 679
what it does:
- 92: load parameter use_ftp
- 568, 569: add parameter in form
- 679: save parameter use_ftp
ow_system_plugins/admin/views/controllers/settings_index.html:
v 1.5.1 (maybe earlier) -> 1.6.0
added lines: 34 -> 38
need new translations:
- admin+site_use_ftp (Use FTP)
- admin+site_use_ftp_desc (Uncheck this box if you don't want to use FTP for upgrade)
what it does: add a checkbox in parameters
ow_system_plugins/base/bol/plugin_service.php:
1.6.0 (can work with previous version but files are not identical so you have to copy the 2 lines manually)
added lines: 721, 722
what it does: skip ftp connection to let direct file access
ow_utilities/file.php:
1.6.0 (can work with previous version but files are not identical so you have to copy the 2 functions manually)
added lines: 321 -> 375
what it does: add a function to create directory and a function to put files of plugin using direct file access
********************************
dirty version (simply wipe out ftp):
********************************
ow_system_plugins/base/bol/plugin_service.php:
1.6.0 (can work with previous version but files are not identical so you have to copy the 2 lines manually)
added lines: 721, 722
what it does: skip ftp connection to let direct file access
ow_utilities/file.php:
1.6.0 (can work with previous version but files are not identical so you have to copy the 2 functions manually)
added lines: 321 -> 375
what it does: add a function to create directory and a function to put files of plugin using direct file access
Regis.
We build. You grow.
Get best community software hereStart a social network, a fan-site, an education project with oxwall - free opensource community software
I don't want to use FTP to update site | Forum
Regis Grison
May 24 '14
I forgot something, I had to insert a line in base_config table:
INSERT INTO ow_base_config (`key`, `name`, `value`, `description`) VALUES ("base", "use_ftp", NULL, "Uncheck this box if you don't want to use FTP for upgrade")
INSERT INTO ow_base_config (`key`, `name`, `value`, `description`) VALUES ("base", "use_ftp", NULL, "Uncheck this box if you don't want to use FTP for upgrade")
Team Alia
May 27 '14
Regis, your solution will work only in case if suPHP is installed on the server.
In cases when suPHP is installed, the same result can be realized in a better and easier way just by adding a code that will check whether used user has rights to overwrite files on the server. File that needs to be edited is ow_system_plugins/admin/controllers/plugins.php
In addition, with your solution, any person with admin access details will have a direct access to /ow_plugins/ folder on the server and will be able to upload any files there. This is not very secure, especially in case if you have several moderators with admin rights. They will be able to upload not only new plugins, but also update the whole platform in case if update is available.
Nevertheless your idea is a good one. But it needs to be techincally implemented in a different and more secure manner. If you would like this feature to be included in upcoming releases, make needed changes and feel free to submit your improvement into our public repository at https://bitbucket.org/oxwall/public
In cases when suPHP is installed, the same result can be realized in a better and easier way just by adding a code that will check whether used user has rights to overwrite files on the server. File that needs to be edited is ow_system_plugins/admin/controllers/plugins.php
In addition, with your solution, any person with admin access details will have a direct access to /ow_plugins/ folder on the server and will be able to upload any files there. This is not very secure, especially in case if you have several moderators with admin rights. They will be able to upload not only new plugins, but also update the whole platform in case if update is available.
Nevertheless your idea is a good one. But it needs to be techincally implemented in a different and more secure manner. If you would like this feature to be included in upcoming releases, make needed changes and feel free to submit your improvement into our public repository at https://bitbucket.org/oxwall/public
Regis Grison
May 27 '14
Hi,
I'm sorry but I cannot agree with you about suPHP and security.
First, I don't use suPHP or anything like that. The oxwall file are owned by the web server and that's enough. I can agree that there are servers that don't work this way but there is also servers without FTP server (just look for FTP in the forum, there is something like 30 pages of results, all are not FTP issue but a lot are). Giving the choice will solve problems without any drawback.
The idea of checking whether FTP is necessary or not is great and would be OK for me. Giving the choice would still work if detection fails (eg: if you check suPHP, my server will still be in trouble).
About security, do you mean that joomla, wordpress, and the whole world are badly designed?
By the way, allow me to upload a plugin in a current, not hacked, oxwall site and I'll take over the whole site in 5 minutes. Direct access or FTP access will only change the name of the functions to use.
Fanally, I'm OK to make any changes you want but you'll have to tell me what you want me to change.
I'm sorry but I cannot agree with you about suPHP and security.
First, I don't use suPHP or anything like that. The oxwall file are owned by the web server and that's enough. I can agree that there are servers that don't work this way but there is also servers without FTP server (just look for FTP in the forum, there is something like 30 pages of results, all are not FTP issue but a lot are). Giving the choice will solve problems without any drawback.
The idea of checking whether FTP is necessary or not is great and would be OK for me. Giving the choice would still work if detection fails (eg: if you check suPHP, my server will still be in trouble).
About security, do you mean that joomla, wordpress, and the whole world are badly designed?
By the way, allow me to upload a plugin in a current, not hacked, oxwall site and I'll take over the whole site in 5 minutes. Direct access or FTP access will only change the name of the functions to use.
Fanally, I'm OK to make any changes you want but you'll have to tell me what you want me to change.
Regis Grison
May 27 '14
It wont add much to this discussion but I was thinking about security and allowing to install plugins.
If you don't trust the moderator because he don't know much about computer, there is no problem.
If you don't trust the moderator because he may do bad things and this person can install a plugin, game is already over. He only have to install a plugin that just print the FTP parameters, reading the database (and it's not a big deal). After that, the whole site is compromized. because he can install whatever he want using FTP.
Direct disk access is not really more secure but you need a more complicated plugin.
I don't see how we can secure against someone that can upload a file (using FTP or not).
Even automatic code checking can be quite impossible because you can pass a function name from URL and then call it without having it in the plugin (in case you forbid fwrite or so).
If you don't trust the moderator because he don't know much about computer, there is no problem.
If you don't trust the moderator because he may do bad things and this person can install a plugin, game is already over. He only have to install a plugin that just print the FTP parameters, reading the database (and it's not a big deal). After that, the whole site is compromized. because he can install whatever he want using FTP.
Direct disk access is not really more secure but you need a more complicated plugin.
I don't see how we can secure against someone that can upload a file (using FTP or not).
Even automatic code checking can be quite impossible because you can pass a function name from URL and then call it without having it in the plugin (in case you forbid fwrite or so).
Regis Grison
Jun 1 '14
Hi,
Any news?
A little up beceause I really am OK to make my code more secure but I still need to know what you want me to improve.
However, you won't know if users really want this or not because I posted a link to this posts in some posts that had the same problem but no solutions and moderator erased them without telling me. A good way to hide it.
About security, I thought a lot about the question and I must insist on the fact I see 9 ways to hack the site for someone that can install a plugin and 6 of them works only because of the current FTP way. So I'm quite stuck to remove a security flaw I don't see (but I may have missed something).
Any news?
A little up beceause I really am OK to make my code more secure but I still need to know what you want me to improve.
However, you won't know if users really want this or not because I posted a link to this posts in some posts that had the same problem but no solutions and moderator erased them without telling me. A good way to hide it.
About security, I thought a lot about the question and I must insist on the fact I see 9 ways to hack the site for someone that can install a plugin and 6 of them works only because of the current FTP way. So I'm quite stuck to remove a security flaw I don't see (but I may have missed something).
Team Alia
Jun 3 '14
Hello Regis,
>>A little up beceause I really am OK to make my code more secure but I still need to know what you want me to improve.
Answer to this question of yours, requires deeper programming knowledge and knowledge of the way things work on server side, and unfortunately I can't answer this question myself.
If you submit your feature to our public repository ( checked directly by our dev.team) our developers will be able to provide more detailed technical feedback on what needs to be changed in case of rejection.
>>A little up beceause I really am OK to make my code more secure but I still need to know what you want me to improve.
Answer to this question of yours, requires deeper programming knowledge and knowledge of the way things work on server side, and unfortunately I can't answer this question myself.
If you submit your feature to our public repository ( checked directly by our dev.team) our developers will be able to provide more detailed technical feedback on what needs to be changed in case of rejection.
Regis Grison
Jun 4 '14
OK. I'll do that.
My question was because I understood you said I needed to make changes first.
My question was because I understood you said I needed to make changes first.
Regis Grison
Jun 5 '14
Well... I don't really know this software...
Where should I do that? Is that in the "Pull request"?
Where should I do that? Is that in the "Pull request"?
Regis Grison
Jun 16 '14
Hi,
A little up since I have no news for a while, maybe you didn't see my previous post.
A little up since I have no news for a while, maybe you didn't see my previous post.
Guido
Jul 1 '14
Hi,
Thank you very much for your fabulous work. I'd a problem with the FTP connection which wasn't connecting to mysql database. I searched for a couple of days, but I found no solution.
I tried your solution. And.... IT WOOORKS!
Yous saved my life.
Thanks a lot
Guido
Thank you very much for your fabulous work. I'd a problem with the FTP connection which wasn't connecting to mysql database. I searched for a couple of days, but I found no solution.
I tried your solution. And.... IT WOOORKS!
Yous saved my life.
Thanks a lot
Guido
Regis Grison
Jul 2 '14
Glad to here that!
I'll submit it as asked. If someone is lost as I was, the link is here:
http://docs.oxwall.org/dev:tuts:repository
edit: request pulled
I'll submit it as asked. If someone is lost as I was, the link is here:
http://docs.oxwall.org/dev:tuts:repository
edit: request pulled
The Forum post is edited by Regis Grison Jul 2 '14
Regis Grison
Sep 9 '14
Hi,
Little up for this post. I know I posted it in early summer but I still have no news (not even a "we're looking at it") since 2 month 1/2...
Is that normal?
Little up for this post. I know I posted it in early summer but I still have no news (not even a "we're looking at it") since 2 month 1/2...
Is that normal?
