|
Re: What site needs to run the new create site module? 12 Years, 8 Months ago
|
Karma: 0
|
|
What are the implications if the JMS component is installed in a slave site?
Are there any security concerns or other issues I should be aware of?
|
|
|
|
|
|
|
Re: What site needs to run the new create site module? 12 Years, 8 Months ago
|
Karma: 54
|
|
The access of JMS from a slave site require to be a Super Admin.
It is recommended to avoid managing the slave site definition from the slave site.
The only case where JMS multisite can be installed in a slave site is when you want to be able creating slave sites from the front-end of a slave site. In this case, the component is required to provide the functionality to create the slave site.
The access to JMS slave site definition should not be provided to a "lamda" customer as it could read the definition of all the slave sites and potentially get access to sensitive information such as DB name, prefix, user, password.
On the master, Also avoid installing extension like "joomla extplorer", ninja explorer, ... that give access to the files and folders.
When they are not present in the master, they can not be installed in a slave site.
|
|
|
|
|
|
|
Re: What site needs to run the new create site module? 12 Years, 8 Months ago
|
Karma: 0
|
|
Hi Edwin,
You said:
The access to JMS slave site definition should not be provided to a "lamda" customer as it could read the definition of all the slave sites and potentially get access to sensitive information such as DB name, prefix, user, password.
Can you please explain a bit more about what you mean? What do you mean when you say 'the slave site definition'?
How could the user get access to the DB name, prefix, user and password?
Is there any additional customisations we could make to improve the security?
Thanks and regards.
|
|
|
|
Last Edit: 2012/04/15 12:15 By TonyGee.
|
|
|
Re: What site needs to run the new create site module? 12 Years, 8 Months ago
|
Karma: 54
|
|
The management of the Slave Site definition should only be reserved to the Super Admin of the server or of the Master webiste.
Not to any administrator or customers.
From my point of view it is abnormaly that anybody manage the slave site definition from any website.
If you are using Joomla 2.5, do not provide the Super Admin to your customers.
Create a limited administrator to reduce the permission.
|
|
|
|
|
|
|
Re: What site needs to run the new create site module? 12 Years, 8 Months ago
|
Karma: 0
|
|
Hi Edwin,
I would never give my customers super admin logins.
Are you referring to the security issue with allowing anonymous users to create a slave from the front end?
If we were to automatically generate a registered user account on new slave creation then would the user only have access to the slave definition that he created?
Would this solve the security issues completely?
|
|
|
|
|
|
|
Re: What site needs to run the new create site module? 12 Years, 8 Months ago
|
Karma: 54
|
|
In the front-end, create a slave site that is attached to a registered user effectivelly add in security as there is a control that the person that access the slave site definition is either the Super Admin or the user himself.
Otherwise the access is forbidden.
|
|
|
|
|
|
|
Forum
