Differenze tra le versioni di "LimeSurvey/Technical documentation"
m (→Filesystem: chown root:) |
|||
| (Una versione intermedia di uno stesso utente non è mostrata) | |||
| Riga 42: | Riga 42: | ||
The while application is world-readable apart from the file <code>config-secret.php</code> and the directory for PHP sessions. | The while application is world-readable apart from the file <code>config-secret.php</code> and the directory for PHP sessions. | ||
| − | + | Before any update: | |
<pre> | <pre> | ||
| − | # to upload new logo from the backend interface | + | chown www-data: -R /var/www/limesurvey/production |
| + | </pre> | ||
| + | |||
| + | After any update, harden the application: | ||
| + | |||
| + | <pre> | ||
| + | # make the whole application read-only for everyone | ||
| + | chown root: -R /var/www/limesurvey/production | ||
| + | |||
| + | # allow to upload new logo from the backend interface | ||
chown www-data: /var/www/limesurvey/production/upload/themes/survey/generalfiles | chown www-data: /var/www/limesurvey/production/upload/themes/survey/generalfiles | ||
Versione delle 15:33, 11 mag 2021
_(4).jpg)
⚙️ fabulaBrief documentation for system administrators of the LimeSurvey instance in Wikimedia Italia.
Server access
ssh fabula.wikimedia.it
ssh intreccio.wikimedia.it
To request access:
Overview
This was the legacy configuration in the destroyed ⚙️ fabula:
┌─────┐ ┌─────────────────┐ ┌───────────────┐
│Alice│ │Apache (:80 :443)│ │PHP-FPM (:9002)│
└──┬──┘ └────────┬────────┘ └───────┬───────┘
│ request │ │
│<────────────────────>│ │
│ │ │
│ │ request │
│ │<─────────────────────────>│
┌──┴──┐ ┌────────┴────────┐ ┌───────┴───────┐
│Alice│ │Apache (:80 :443)│ │PHP-FPM (:9002)│
└─────┘ └─────────────────┘ └───────────────┘
(refresh)
The configuration in server ⚙️ intreccio is just with Apache.
Filesystem
The whole application is in read-only (writable only by root) apart from some temporary locations and the upload directory.
The while application is world-readable apart from the file config-secret.php and the directory for PHP sessions.
Before any update:
chown www-data: -R /var/www/limesurvey/production
After any update, harden the application:
# make the whole application read-only for everyone chown root: -R /var/www/limesurvey/production # allow to upload new logo from the backend interface chown www-data: /var/www/limesurvey/production/upload/themes/survey/generalfiles # generic temporary directory for PHP chown -R www-data: /var/www/limesurvey/production/tmp chmod -R o= /var/www/limesurvey/production/tmp # user uploads chown -R www-data: /var/www/limesurvey/production/upload # user configuration (required by installation wizard) chown -R www-data: /var/www/limesurvey/production/application/config
Here an overview of the application directory.
# ls -l /var/www/limesurvey/production total 84 drwxr-xr-x 2 root root 4096 16 feb 10.50 admin drwxr-xr-x 15 root root 4096 21 feb 19.45 application drwxr-xr-x 7 root root 4096 16 feb 10.50 assets -rw-r--r-- 1 root root 1131 16 feb 10.50 composer.json -rw-r--r-- 1 root root 3273 16 feb 10.50 CONTRIBUTING.md drwxr-xr-x 4 root root 4096 16 feb 10.50 docs drwxr-xr-x 19 root root 4096 16 feb 10.50 framework -rw-r--r-- 1 root root 6621 16 feb 10.50 index.php drwxr-xr-x 5 root root 4096 16 feb 10.50 installer drwxr-xr-x 110 root root 4096 16 feb 10.50 locale -rw-r--r-- 1 root root 80 16 feb 10.50 manifest.yml -rw-r--r-- 1 root root 1140 16 feb 10.50 phpci.yml -rw-r--r-- 1 root root 984 16 feb 10.50 phpunit.xml drwxr-xr-x 4 root root 4096 16 feb 10.50 plugins -rw-r--r-- 1 root root 2595 16 feb 10.50 README.md drwxr-xr-x 13 root root 4096 16 feb 10.50 tests drwxr-xr-x 5 root root 4096 16 feb 10.50 themes drwxr-xr-x 37 root root 4096 16 feb 10.50 third_party drwxrwxr-x 5 apache-limesurvey apache-limesurvey 4096 17 feb 10.24 tmp drwxrwxr-x 7 apache-limesurvey apache-limesurvey 4096 16 feb 10.50 upload
This is the configuration directory:
# ls -l /var/www/limesurvey/production/application/config total 156 ... lrwxrwxrwx 1 root root 77 21 feb 19.44 config.php -> /etc/wmit-infrastructure/servers/fabula/projects/limesurvey/public-config.php ...
Dependencies
apt install -y php-zip php-imap php-gd
Admin
This is the admin panel:
The enabled users are listed in:
Configuration
LimeSurvey configuration:
nano /var/www/limesurvey/production/application/config/config.php
Apache configuration:
nano /etc/httpd/sites-enabled/it-wikimedia-survey-ssl.conf nano /etc/httpd/sites-enabled/it-wikimedia-survey-txt.conf
PHP-FPM configuration:
nano /etc/opt/rh/rh-php73/php-fpm.d/9002-limesurvey.conf
To publish whatever change in Wikimedia Phabricator please run this:
/root/scripts/commit.sh
Log
Application error log:
tail -f /var/log/php-fpm/limesurvey-error.log
Generic Apache error log:
tail -f /var/log/httpd/error_log
Generic Apache access log:
tail -f /var/log/httpd/access_log
Service
To apply your changes you need to restart the services.
Service of the apache frontend webserver:
apache2ctl configtest apache2ctl graceful
Service of the PHP-FPM backend webserver:
systemctl status rh-php73-php-fpm systemctl restart rh-php73-php-fpm
Database
$ mysql limesurvey > SHOW TABLES; +-----------------------------------------------+ | Tables_in_limesurvey | +-----------------------------------------------+ | lime_answers | | lime_assessments | | lime_asset_version | | lime_boxes | | lime_conditions | | lime_defaultvalues | | lime_expression_errors | | lime_failed_login_attempts | | lime_groups | | lime_labels | | lime_labelsets | | lime_map_tutorial_users | | lime_notifications | | lime_old_survey_272925_20210218220912 | | lime_old_survey_272925_20210218222604 | | lime_old_survey_272925_20210218232807 | | lime_old_survey_272925_20210219171305 | | lime_old_survey_272925_timings_20210218220912 | | lime_old_survey_272925_timings_20210218222604 | | lime_old_survey_272925_timings_20210218232807 | | lime_old_survey_272925_timings_20210219171305 | | lime_participant_attribute | | lime_participant_attribute_names | | lime_participant_attribute_names_lang | | lime_participant_attribute_values | | lime_participant_shares | | lime_participants | | lime_permissions | | lime_plugin_settings | | lime_plugins | | lime_question_attributes | | lime_questions | | lime_quota | | lime_quota_languagesettings | | lime_quota_members | | lime_saved_control | | lime_sessions | | lime_settings_global | | lime_settings_user | | lime_survey_272925 | | lime_survey_272925_timings | | lime_survey_856642 | | lime_survey_856642_timings | | lime_survey_links | | lime_survey_url_parameters | | lime_surveymenu | | lime_surveymenu_entries | | lime_surveys | | lime_surveys_groups | | lime_surveys_languagesettings | | lime_template_configuration | | lime_templates | | lime_tutorial_entries | | lime_tutorial_entry_relation | | lime_tutorials | | lime_user_groups | | lime_user_in_groups | | lime_users | +-----------------------------------------------+ 58 rows in set (0.00 sec)
Created with:
# copy a password pwgen 40 # create database mysql CREATE DATABASE limesurvey; CREATE USER limesurvey@localhost IDENTIFIED BY '<omissis>'; GRANT ALL PRIVILEGES ON limesurvey.* TO limesurvey@localhost; quit
Unix
There is a dedicated Unix user in server ⚙️ fabula able to read secret configurations and write some logs.
# id apache-limesurvey uid=1438(apache-limesurvey) gid=1438(apache-limesurvey) groups=1438(apache-limesurvey),48(apache)
TODO: Actually this user is not in use because I don't want to experiment in production and now I don't have time to do otherwise. But please update the PHP-FPM #Configuration to adopt this separated user.
This application uses an SMTP account @wikimedia.it with username noreply.
See #Configuration.
See technical addresses.
Update
During an update try to do not use the web interface (because the application is in read-only on the filesystem) but download instead the new version in /var/www/limesurvey.
To see the new version online you can just replace the /var/www/limesurvey/production symbolic link.
Remember to copy the /application/config inside your new version.
Then follow the official guide.
https://manual.limesurvey.org/upgrading_from_a_previous_version
Security
Some initiatives to improve the security of LimeSurvey itself:
Deploy
# info latest_stable=https://download.limesurvey.org/lts-releases/limesurvey3.25.17+210309.zip version=3.25.17 # download mkdir -p /var/www/limesurvey cd /var/www/limesurvey wget "$latest_stable" -O stable.zip # checks sha256sum stable.zip # e528de65e48bb30ccfa581f975d9e989b9eb3ee1b65ab43aa80ef7e02b713b65 stable.zip md5sum stable.zip # 492d553ed00911b8c0e7ccfb45be0830 stable.zip du stable.zip # 77052 stable.zip # extract apt install --yes unzip unzip stable.zip rm stable.zip # give a meaningful name mv limesurvey limesurvey-"$version" # create symlink ln -fs limesurvey-"$version" production # create temporary locations mkdir -p tmp chown www-data: tmp chmod 770 tmp
Now see #Filesystem and #Database.
Phabricator
- phabricator:search - search recent activity
- phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/limesurvey/ - public configuration