| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| administration:security [2023/03/08 19:00] – demiankatz | administration:security [2024/02/20 13:09] (current) – [Security] demiankatz |
|---|
| ====== Security ====== | ====== Security for VuFind® Administrators ====== |
| |
| ===== Unix Accounts and Permissions ===== | ===== Unix Accounts and Permissions ===== |
| </code> | </code> |
| |
| The username is most likely ''apache'' or ''www-data''. Make note of it. | The username is most likely ''apache'' (if you are using an RPM-based Linux flavor) or ''www-data'' (for Debian-based Linux flavors). Make note of it. |
| |
| 2.) Change ownership of the entire VuFind® directory to your new service user, then change the cache back to the appropriate ownership, then adjust the command-line cache. This requires three commands, but you should run them in rapid sequence to avoid disruption to your system: | 2.) Change ownership of the entire VuFind® directory to your new service user, then change the cache back to the appropriate ownership, then adjust the command-line cache. This requires three commands, but you should run them in rapid sequence to avoid disruption to your system: |
| </code> | </code> |
| |
| Note that this example assumes an Apache user of "apache" but you should replace "apache" with the username you noted in step 1. | :!: Note that this example assumes an Apache user of "apache" but you should replace "apache" with the username you noted in step 1. |
| |
| ==== Setting Up Cron Jobs ==== | ==== Setting Up Cron Jobs ==== |
| |
| <code bash> | <code bash> |
| sudo su vufind | sudo su vufind -s /usr/bin/bash |
| crontab -e | crontab -e |
| </code> | </code> |
| | |
| | Note that in this example, we specify which shell to use when switching to the vufind user, since in the example above, we set a "nologin" shell as the default. We need to override that to avoid an error message about the account being unavailable. If you set up the user with a different default shell, you can skip this parameter (but the account may be less secure under certain circumstances). |
| |
| ===== Using SSL ===== | ===== Using SSL ===== |
| === 1. Create the user account === | === 1. Create the user account === |
| |
| First, decide on a name for your Solr user. For the example below, we will use "solr" as the username. If you have multiple instances of Solr running for multiple applications, you might choose a more specific name like "vufind." Having made this decision, you can create the account with: | First, decide on a name for your Solr user. If you have already [[#creating_a_system_account_for_vufind|created a system account for VuFind®]] as described above, you might decide that you can use this user to run Solr as well as run VuFind®-specific scripts. In that case, no additional configuration should be necessary. |
| |
| <code bash> | If you want to fully isolate Solr by creating a user named solr, just repeat the useradd command described under [[#creating_a_system_account_for_vufind|creating a system account for VuFind®]], replacing the "vufind" name in the example with "solr" (or whatever else you choose to use). The examples in the following steps assume you chose "solr". |
| sudo useradd -r -s /usr/sbin/nologin -U solr | |
| </code> | |
| | |
| The -r switch designates this as a system account, the -s switch sets the login shell to prevent users from logging into the account, and the -U switch creates a group to match the username. | |
| |
| === 2. Change the ownership of the Solr directories === | === 2. Change the ownership of the Solr directories === |
| |
| <code bash> | <code bash> |
| sudo su solr | sudo su solr -s /usr/bin/bash |
| cd $VUFIND_HOME | cd $VUFIND_HOME |
| ./solr.sh start | ./solr.sh start |
| </code> | </code> |
| | |
| | See the note under [[administration:security#setting_up_cron_jobs|setting up cron jobs]] above for an explanation of the -s switch on su. |
| |
| If you are automatically starting Solr, make sure that your configuration includes the appropriate username. See the [[/administration:starting_and_stopping_solr|Starting and Stopping Solr]] page for more details. | If you are automatically starting Solr, make sure that your configuration includes the appropriate username. See the [[/administration:starting_and_stopping_solr|Starting and Stopping Solr]] page for more details. |
| [[administration:starting_and_stopping_solr#restarting_solr_manually|Restart the Solr process]] so the changes can take effect. | [[administration:starting_and_stopping_solr#restarting_solr_manually|Restart the Solr process]] so the changes can take effect. |
| |
| | ==== Allowing Access to the Solr Host ==== |
| | |
| | Starting with Solr 9 (and thus affecting VuFind® releases 9.0 and later), Solr will only allow "localhost" connections by default. If you wish to access Solr from another server or workstation, you will need to choose one of these solutions: |
| | |
| | === Option 1: Reconfigure SOLR_JETTY_HOST === |
| | |
| | If you want to permanently allow Solr to accept connections using a hostname other than "localhost," you can set the SOLR_JETTY_HOST environment variable to control this behavior. If you set the variable to "0.0.0.0" it will accept connections using any name. If you set the variable to a specific hostname, then ONLY that hostname will be allowed (e.g. if you set SOLR_JETTY_HOST to "myserver.myuniversity.edu" then "localhost" connections will stop working, and all Solr traffic must use the hostname). See [[https://solr.apache.org/guide/solr/latest/deployment-guide/taking-solr-to-production.html#security-considerations|Taking Solr to Production]] for more details. |
| | |
| | === Option 2: Use SSH Tunneling === |
| | |
| | If you only want to temporarily access Solr from another location, you can do so without loosening security by opening an SSH tunnel to expose the Solr port on another machine, effectively allowing "localhost" access remotely. SSH tunneling is available through the standard Unix ssh command line tool and through graphical clients like PuTTY. It is beyond the scope of this documentation to explain SSH tunneling in detail, but if you use a search engine to look for "SSH tunnel" and your client or operating system of choice, you should be able to find a wealth of tutorials on the subject. |
| ===== Locking Down the Admin Panel ===== | ===== Locking Down the Admin Panel ===== |
| |
| |
| VuFind® stores some user information in its database. Starting with VuFind® 2.0RC1, you have the option to perform extra hashing/encryption to protect these credentials. The settings are off by default in [[configuration:files:config.ini]], but they can be enabled through VuFind®'s auto-configuration pages. Enabling security is highly recommended. | VuFind® stores some user information in its database. Starting with VuFind® 2.0RC1, you have the option to perform extra hashing/encryption to protect these credentials. The settings are off by default in [[configuration:files:config.ini]], but they can be enabled through VuFind®'s auto-configuration pages. Enabling security is highly recommended. |
| | |
| | VuFind® also supports configuration settings to enforce length and content restrictions on usernames and passwords. Review the settings in the [Authentication] section of [[configuration:files:config.ini]] for more details. It is recommended that you enforce complex passwords when possible, but depending on your authentication settings this may not be possible (e.g. if your login proxies your ILS, and your ILS does not support password restrictions) or may not be necessary (e.g. if you are using single sign-on, where passwords are managed entirely in a third-party system). |
| |
| When using some [[configuration:authentication]] options, you have the ability to pre-populate user ILS credentials in the database. In some scenarios, it is possible to configure ILS drivers to look up users based only on usernames or other "public knowledge" fields. In these cases, you should disable direct user login using the allowUserLogin setting in the [Catalog] section of [[configuration:files:config.ini]] to eliminate the possibility of users attempting to impersonate one another. This setting was introduced in VuFind® 9.0. | When using some [[configuration:authentication]] options, you have the ability to pre-populate user ILS credentials in the database. In some scenarios, it is possible to configure ILS drivers to look up users based only on usernames or other "public knowledge" fields. In these cases, you should disable direct user login using the allowUserLogin setting in the [Catalog] section of [[configuration:files:config.ini]] to eliminate the possibility of users attempting to impersonate one another. This setting was introduced in VuFind® 9.0. |
| |
| Starting with VuFind® 7.0, you can configure a [[administration:security:content_security_policy|content security policy]] to protect against cross-site scripting and other vulnerabilities. See the [[administration:security:content_security_policy|content security policy]] page for more details. | Starting with VuFind® 7.0, you can configure a [[administration:security:content_security_policy|content security policy]] to protect against cross-site scripting and other vulnerabilities. See the [[administration:security:content_security_policy|content security policy]] page for more details. |
| | |
| | ===== General Best Practices ===== |
| | |
| | ==== Stay Up to Date ==== |
| | |
| | VuFind® generally puts out one major and one minor release each year, plus patch releases as necessary. Maintaining your VuFind® instance ensures that you receive the latest security fixes and that your instance remains compatible with the latest versions of all of its dependencies. |
| | |
| | You should also be sure to keep your dependencies up to date through necessary operating system patching and upgrading. Make sure that you are running VuFind® in combination with up-to-date and supported versions of Linux, Apache, PHP, etc. |
| | |
| | ==== Don't Leave Autoconfiguration Turned On ==== |
| | |
| | It's necessary to put VuFind® into "autoconfiguration" mode via the "autoConfigure" setting of [[configuration:files:config.ini]] for initial installation and when performing upgrades. You should never turn this setting on at any other time, and you should remember to turn it off whenever you are done with it! |
| | |
| | On a related note, while it is sometimes necessary to give Apache ownership of your configuration files to allow it to write updates to disk during autoconfiguration, this ownership should only be granted during active maintenance of VuFind®, and ownership should be given to a different user at all other times. |
| ---- struct data ---- | ---- struct data ---- |
| properties.Page Owner : | properties.Page Owner : |
| ---- | ---- |
| |
