Re: Security improvements
Reply #1 –
Uhm, I don't even run ftp on my server. What ftp details am I supposed to enter? I send things to my server via scp.
Re: Security improvements
Reply #2 –
And you use Elk to take backups of your database?
Re: Security improvements
Reply #3 –
I usually do it outside elk. But I do let elk modify php files.
Re: Security improvements
Reply #5 –
Anyway, I guess we can add some "hidden" setting similar to $db_show_debug that added to Settings.php allow to disable the FTP request.
Re: Security improvements
Reply #7 –
So I just checked an even though ftp is disabled on my server I can download the database. I'm not sure what problem this is trying to solve. ftp credentials are obviously stored somewhere on the server, just outside the http accessible tree typically. But generally the advice I hear is drop ftp for sftp or scp so why move elk to be dependent on ftp?
Re: Security improvements
Reply #9 –
It just seems there should be another place to get a second password. Why not put a hashed one in the settings file? Or even the int the database. Then this secondary password is used to protect changing php files or downloading the database. If they can pull the hashed password out of the database without supplying the password then they can probably pull the whole database anyway. And then you're not dependent on something outside of Elk that is quite likely disabled on more security conscious servers.