We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Possiblity of moving template_c folder above public_html | Forum

dave Leader
dave May 27 '19
For security reasons many open source scripts (that use smarty) are moving their template_c folder above the public_html folder to keep the public out of them.  


So i thought i would test this with oxwall when i get a chance, it may take me a few days or a week to do this because im doing other things outside right now while we have good weather.  But i will report back. 


Now one thing i have found so far is that it appears the template_c location is actually set in 


ow_librairies/vendor/smarty/smarty/libs/Smarty.class.php file 


:) 

The Forum post is edited by dave May 30 '19
AppXprt
AppXprt May 28 '19
Honestly, that's a great idea as well as moving ow_userfiles and possibly even ow_pluginfiles...
dave Leader
dave May 28 '19
We have a few rain days coming this week ill test that out.  Thanks
dave Leader
dave May 29 '19
Well this morning i confirmed that it does work moving the template_c folder above the public_html


However this does not require a plugin to do so as that would be overkill as its so easy to do and noone would buy the plugin to do it when they can just change one line of code and change it.   


So here is how you do it: 


1. copy ow_smarty folder (the whole folder) to /home/username/    replace username with your cpanel or other panel username


2. in the oxwall directory change the name of ow_smarty to ow_smartyold just to be sure it uses the one you just copied.  


3. open the oxwall config file  ow_includes/config.php and change this line of code 


define('OW_DIR_SMARTY', OW_DIR_ROOT.'ow_smarty'.DS);


to 


define('OW_DIR_SMARTY', '/home/username/ow_smarty'.DS);


again change username to your panel username


save the file DONE!!!


What i did was i just made a copy of that line of code and commented out the original so i can go back if i need to. 


like so: 


//changed location to above public_html for security

//define('OW_DIR_SMARTY', OW_DIR_ROOT.'ow_smarty'.DS);
define('OW_DIR_SMARTY', '/home/username/ow_smarty'.DS);



Now your smarty is more secure.  :)



If you want to test it, just go to the template_c folder above the public_html and select all inside that folder and delete it all.  Then refresh your site, then look again, if there are files in there now then its working fine. 


I am sure the same can be done with other config values but i have not yet tested those. 


Have a good day :)


Dave 


The Forum post is edited by dave May 29 '19
Catkin
Catkin May 29 '19

Security is a top priority for our site and I will certinly make sure to try this out!


Thank you very much Dave! More people should take a note of this!

dave Leader
dave May 29 '19
Thanks Jamie +1  


An afterthought here that i wanted to share regarding using this method to also move the ow_userfiles and other configed folders.  


Moving the smarty folder is possible because the core uses standard methods to interact with it.   The same cannot be said for some of the other folders such as the ow_userfiles folder.


Oxwall has a internal method designed to interact with the ow_userfiles folder, however, not all devs use this method and i have seen many in the past that have interacted with this and other oxwall folders in more of a direct literal method than the proper oxwall method.  


This means that moving the ow_userfiles in the cases where the dev's third party plugin does not use standard methods could break that plugin.   So if you decide to move other folders in the same way as written above just be sure you are aware of the possiblity of breaking something along the way.   


Dave 


Oh and one other thing you might also do.  You might as well clear everything out of the old template_c folder.  That way if you ever decide to go back to that folder oxwall will recreate new files instead of using the old ones which would prob have changed alot in the meantime. You dont need them there anyway if they are not used. 

The Forum post is edited by dave May 29 '19
Jeffrey Candice
Jeffrey Candice Jun 28 '19
If you want to test it, just go to the template_c folder above the public_html and select all inside that folder and delete it all. kodi Then refresh your site, then look again, if there are files in there now then its working fine.  
Asoka Janaka
Asoka Janaka Apr 18 '20
For some on the non IT users of Oxwall it would be good if you (Dave) could create a plugin. I for one would definitely buy it.


Hope we get a lot of rain in Texas to give Dave more time indoors.


Thank you Dave

dave Leader
dave Apr 18 '20
LOL thanks :)
OW-Ghost
OW-Ghost Jul 15 '20
That was a great security advice.


I agree it would bee great with a plugin that do this.


When you want to transfer your website to another server then you need remember that one folder is above public folder.And hopefully you will remember :) Maybe the plugin add new name and permission to old smarty folder then you have it there even if you transfer the website :) But i think best would bee if you remember and then transfer folder above public folders if you want to do a website transfer


Did this fix not working with other 777 folders?

The Forum post is edited by OW-Ghost Jul 15 '20
dave Leader
dave Jul 15 '20
Thanks Ghost, i have not tested other folders..