Instalación

Contenido

2. La instalación  
    2.1 Idioma
    2.2 Tipo de instalación
    2.3 Licencia
    2.4 Base de datos
    2.5 Sitio Web
    2.6 Cuenta de usuario
    2.7 Compabilidad
    2.8 Confirmación
       2.8.1 Encrucijada
    2.9 Final
    2.10 Descargar archivo de configuración

3. Consejos para una instalación segura
    3.1 Archivos de programación y archivo de configuración
    3.2 Archivos de datos
        3.2.1 Afuera del documento root
        3.2.2 Adentro del documento root

4. Después de la instalación
    4.1 Detección de virus
    4.2 Nombre de la sesión
    4.3 URLs proxy-amistosos

5. Errores
    5.1 Instalación cancelada
    5.2 Incapaz de escribir en el directorio de datos
    5.3 Config.php problemas de escribir

6. Observaciones finales

1. Introducción

1.1 Convenciones

1.1.1 Características generales

• Mouseover: Casi cada imagen, ícono, botton, enlace o campo de data tiene un texto mouseover . Por favor pasar el ratón sobre estos artículos para ver una breve descripción, y explicación o una combinación de teclado de acceso directo para un artículo. Esta característica de uso fácil se dirige al usuario principiante de un CMS.
• teclados de acceso directo : Usted no necesita un ratón para trabajar con Website@School. Los artículos son accesibles con teclados de acceso directo cuales son mensionados en el mouseover. Su manual de hojeador le explicará cual tecla presionar en conjunto con el teclado de acceso directo.
• Barra de estatus amarilla: La barra amarilla dará mensajes de estatus, por ejemplo:
  

  ficheros de datos (no puede ser alterada mas adelante): nombre de archivo no acceptable: 'grado 8'

          Mensajes de confirmación o de errór se muestran en esta barra amarilla. En caso de necesidad estos mensajes pueden ser copiados y pegados en un mensaje electrónico o mensaje de foro de apoyo.

• Ventanas emergentes: A veces ventanas emergentes se muestran junto a la barra de estatus amarilla. Ellos llaman su attención y usted tiene que apagarlos para poder proceder. Leer los, entonces hacer clic en el botón [OK]. Los mensajes emergentes se muestran en la barra de estatus amarilla para cortar y pegar los.

1.1.2 Convenciones de la documentación

Aquí abajo están los elementos del texto que tienen una marca de beneficio especial:

• [Entrar] o, por ejemplo [Alt-N]:  Para indicar que usted puede usar el teclado.
• índex.php:  Para indicar un nombre del archivo.
• Nombre:  El carácter subrayado en negrita de los títulos del campo identifica el teclado de acceso directo que puede ser usado  para tener acceso o para modificar al artículo. Su manual del hojeador le dirá qué teclas para clavar la conjunción con el carácter subrayado en negrilla.
• [D] o, por ejemplo [P]:  En modo de alta visibilidad (para ciegos y personas perjudicadas visualmente)  el primero indica el Bote de Basura (Eliminar). El segundo indica el ícono de la Inspección Previo de la Página. 
• Área privada [  ] Mark ... etcétera: El [  ] en un texto indica una caja para chequear.
• Añadir una página o, por ejemplo Área: Un texto azul refiere al mismo texto en una imagen de pantalla.
• Añadir una årea, o por ejemplo Administrador de Página: El texto en negrita refiere a un artículo que sea visible en una imagen de pantalla.

1.2 Requisitos

1.2.1 Requisitos tecnicos

• Apache: versión 2.0.53 o mas alto
  

• MySQL: versión 4.1.x o mas alto

1.2.2 Requisitos de usuarios

Aparte del servidor y estas programas se necesita algunos conocimientos de informática para instalar Website@School:

• Conocimientos básicos como la descarga de archivos y descomprimir los, la creación de directorios y copia de archivos.
• Se puede trabajar con el programa FTP (Protocolo de Transferir Archivos) para subir archivos a un servidor cuando no se tiene acceso directo al servidor donde será instalado Website@School.
  Filezilla es un buen programa OSS/GPL FTP. Vea http://filezilla-project.org/.
• Usted puede crear una base de datos, sea en la linea de comando o con un programa como phpMyAdmin. Vea http://www.phpmyadmin.net/home_page/index.php.
• Algún conocimiento de trabajo sobre archivo de propiedad y los permisos.
  
  AVISO:
  Es muy importante por razones de seguridad de instalar estos permisos correctos. Usted quiere un sitio web seguro en su escuela para proteger la información confidencial que seguro será guardado en el directorio de datos. Aparte de esto usted quiere proteger su instalación Website@School y su servidor contra los intrusos. Especialmente párrafo        3. Consejos para una instalación segura trata este importante tema.
  
  

Cuando usted está inseguro de sus conocimientos, será mejor de pedir ayuda al grupo local de Linux. Ellos están virtulamente en todos lados y están despuestos a realizar un pequeño servicio para la escuela y (posiblemente) sus niños. Vea http://en.wikipedia.org/wiki/Linux_User_Group

1.3 Preparaciones

• Instalando en un servidor con acceso root:  Por ejemplo, usar el  directorio  /tmp para las descargas. 

• En un servidor sin acceso root: Cuando el srvidor se encuentra en un ISP (Servicio de Internet Proveedor), usted tiene que descargar y descomprimir los archivos en su propio computador. 

1.3.1 Descargas

• Browse to our download location at http://download.websiteatschool.eu and download the latest versions of:
• The Website@School program, e.g. the file websiteatschool-0.90.0.zip or websiteatschool-0.90.0.tar.gz[ * ].
• The Website@School manual, e.g. the file websiteatschool-manuals-en-0.90.0.zip or websiteatschool-manuals-en-0.70.0.tar.gz[ * ].
• (Optional) Download additional W@S language packs, e.g. the file websiteatschool-languages-es-0.10.0.zip or websiteatschool-languages-es-0.10.0.tar.gz[ * ] for the Spanish language files.

When on a server with root access, proceed to the next paragraph. When the server where Website@School is to be installed is located at an ISP (Internet Service Provider), proceed with paragraph 1.3.3 Installing on a server without root acces

1.3.2 Installing on a server with root acces

• Navigate to the webserver Document Root.
• Use your favorite tool to unpack the program. Assuming you have saved the downloads in the /tmp directory, use the following command to unpack a .zip file:

  [root@exemplum htdocs]# unzip /tmp/websiteatschool-0.90.0.zip

  When using tar, unpack with:

  [root@exemplum htdocs]# tar xzvf /tmp/websiteatschool-0.90.0.tar.gz

  NOTICE:
  The file is unpacked in the current directory.

• Do the same with the manual and the (optional) language file(s).
• Afteer this operation the following files and directory are created in the webserver Document Root:

  -rw-r--r-- 1 root root 2210 Feb 1 14:00 admin.php -rw-r--r-- 1 root root 7827 Feb 1 14:00 config-example.php -rw-r--r-- 1 root root 2204 Feb 1 14:00 cron.php -rw-r--r-- 1 root root 2653 Feb 1 14:00 file.php -rw-r--r-- 1 root root 2675 Feb 1 14:00 index.php drwxr-xr-x 1 root root 824 Feb 2 10:11 program

  We refer to this directory as the CMS Root Folder. In this case, the CMS Root Folder is the same as the webserver Document Root.

  NOTICE:
  Even though it is strongly recommended to install Website@School in the webserver Document Root, it is perfectly possible to install the program in a subdirectory of the webserver Document Root. In that case the webserver Document Root and the CMS Root Folder are not the same, hence the special name.

  The program directory contains the program files and directories. The manual and optional language packs were uncompressed there.

• Create the CMS Data Folder. This is a directory that holds uploaded files like images, documents, etcetera. It is very important that this directory is located outside the Document Root Folder, i.e. is not directly accessible with a browser. Note that the webserver must have sufficient permissions to read, create and write files in the CMS Data Folder.
  Examples of CMS Data Folders are: /home/httpd/wasdata or C:\Program Files\Apache Group\Apache\wasdata. The name wasdata is an example. You can use any name. Here is an example of minimal permissions and ownership on the CMS Data Folder:

  drwx------ 2 www www 48 Feb 2 10:49 wasdata

• Create a database. The installation program is not designed to create databases (for security reasons). Use a program like phpMyAdmin, see http://www.phpmyadmin.net, or the command line.

  When you are familiar with the Linux command line, you know how to create a database. If not, try this example which we adapted from the ServerAtSchool documentation at http://http://serveratschool.net/doc/install/configuring.html#h7.

  Below the login procedure is shown:

  [root@exemplum root]#mysql -h localhost -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 121 to server version: 4.0.23a Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql>

  You are logged in now and ready to create a new database, with appropriate permissions and a new user, especially for the website database that will be accessed via the Webite@School content management system (CMS). Again, the commands to type are shown emphasised in the illustration below. The password 'ohF9quei' is used as an example. You should use a password of your own choice.

  mysql> create database www; Query OK, 1 row affected (0.00 sec) mysql> grant all on www.* to wasuser@localhost identified by 'ohF9quei'; Query OK, 0 rows affected (0.02 sec) mysql> _

  At this point you have created a new database named www and a user named wasuser who has been given full access to this database (but only from the host 'localhost'), provided the user produces the correct password, 'ohF9quei'.

  The MySQL database is now ready for use. You can close the connection to the database and end the mysql program:

  mysql> exit Bye [root@exemplum root]# _

  Examples of database names: www or example_www.

• At this point no config.php file exists. It is created during the installation.

  NOTICE:
  After finishing the installation and uploading the config.php file, change its permissions to read for owner and group. Do not forget this! Paragraph 3. Tips for a secure installation discusses this important subject.

You are now almost ready to install Website@School. Please first read paragraph 1.4 On secure passwords, before proceeding to 2. The installation.

1.3.3 Installing on a server without root access

We assume you have downloaded the files in the downloads directory as described in paragraph 1.3.1 Downloads, i.e. the downloads directory is in the users home directory.

• Navigate to your home directory.
• Create a directory, for example was, in which you will unpack the downloaded files.
• Navigate to the was directory.
• Use your favorite tool to unpack the program. Assuming you have the downloads in the downloads directory use your favorite tool or the command line to unzip:

  [dirk@freinet was]$ unzip ../downloads/websiteatschool-0.90.0.zip

  [dirk@freinet was]$ tar xvzf ../downloads/websiteatschool-0.90.0.tar.gz

  NOTICE:
  The file is unpacked in the current directory.

• Do the same with the manual and the (optional) language file(s).
• After this operation the following files and directory are created in the currrent directory:

  [dirk@freinet was]$ ls -l total 25 -rw-r--r-- 1 dirk dirk 2204 Feb 3 15:04 admin.php -rw-r--r-- 1 dirk dirk 7821 Feb 3 15:04 config-example.php -rw-r--r-- 1 dirk dirk 2198 Feb 3 15:04 cron.php -rw-r--r-- 1 dirk dirk 2647 Feb 3 15:04 file.php -rw-r--r-- 1 dirk dirk 2669 Feb 3 15:04 index.php drwxr-xr-x 11 dirk dirk 824 Feb 9 01:46 program [dirk@freinet was]$

  The program directory contains the program files and directories. The manual and optional language packs were unpacked there.

• Login to the server with an an FTP (File Transfer Protocol) program like Filezilla http://filezilla-project.org/.

  NOTICE:
  Depending on the ISP the name of the Document Root, i.e. the directory to put the Website@School program files and directory in, differs from ISP to ISP.

• With the FTP program, navigate to the Document Root directory that will become the CMS Root Folder. In this case, the Document Root is the same as the CMS Root Folder.

• Upload all files and the directory from was to the CMS Root Folder on the server. Do not forget underlaying subdirectories in program
• Create the Data Directory. This is the directory where the CMS Data Folder will be created by the Install Wizard. The CMS Data Folder will hold images, documents, etcetera. Read the notices!

  NOTICE 1:
  Create the Data Directory, if possible, outside the Document Root and outside the CMS Root Folder.

  NOTICE 2:
  If it is not possible to follow the NOTICE 1 above, the Data Directory must be created in the Document Root.
  Give this Data Directory a difficult to guess name,'for example b27b7d81c9ea26q4885734564qda2e12. Do not use this example, but create a difficult to guess directory name.

• In the CMS Root Folder, give all files, also those in the program directory and the directories under it, read permissions for owner, group and world.
• Also in the CMS Root Folder, give all directories read and execute permissions for owner, group and world.
• Give the Data Directory enough permissions (if only temporarily) to allow the Install Wizard to create the CMS Data Root.

  NOTICE
  Necessary permissions are: read, write and execute for owner, group and perhaps world, too. Once installation is complete, all write permissions of the Data Directory can be revoked again.

• At this point no config.php file exists. It is created during the installation.

  NOTICE:
  After finishing the installation and uploading the config.php file, change its permissions to read for owner and group. Do not forget this! Paragrapfh 3. Tips for a secure installation discusses this important subject.

• Create a database, or ask your ISP to provide you with one. The installation program is not designed to create databases (for security reasons).
  Examples of database names: www or example_www.

  To create a database, you can use a program like phpMyAdmin. phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. It can be downloaded at http://www.phpmyadmin.net.

  NOTICE:
  Using a web based program like phpMyAdmin is a security risk. Do not forget to (re)move phpMyAdmin to a place where the webserver has no accces to.

You are now almost ready to install Website@School. Please first read the next paragraph 1.4 On secure passwords, before proceeding to 2. The installation.

1.3.4 Installing on an XS4ALL server

1.4 On secure passwords

• have at least a minimum length of 8 (eight) characters,
• have at least 1 (one) uppercase character (A-Z),
• have at least 1 (one) lowercase character (a-z),
• have at least 1 (one) digit (0-9),
• preferably have special character like: at-sign '@', hash '#', dollar '$', percentage sign '%', caret '^', ampersand '&', asterisk '*', left parenthesis '(', right parenthesis ')', dash '-', underscore '_', plus '+', equals '=', left curly brace '{', right curly brace '}', opening bracket '[', closing bracket ']', semicolon ';', slash '/', dot '.' and question mark '?'.

Please bear this in mind when entering passwords during the installation. Nuff said, time to start!

(top)

2. The installation

2.1 Language

install_language.png

The installation starts with the selection of the language in the dropdown menu. Please select a language and click [Next] to continue or [Cancel] to abort the installation.

2.2 Installation type

install_installation_type.png

• Installation scenario
  • Standard: A standard installation will be the right choice for most schools. The installer will take care of finding the right values. But, take care, and check what the installer presents in the 'Confirmation' dialogue. If necessary, you can use the [Previous] button to correct errors.
  • Custom: A custom installation is necessary when you want multiple installations of Website@School in the same database. In the database dialogue 2.5 Database an extra field is added where a prefix for each installation can be added.
• High visibility [  ]: Check the box to use a text-only user interface during installation.
  This is a feature for visually impaired or blind persons. The installation can be performed with a braille terminal. High visibility is also availabe in Website@School management.

2.3 License

install_license_top.png
install_license_bottom.png

To be able to install the progrma, you have to accept the license agreement by typing 'I agree' (without quotes) in the box.

Click [Next] to continue, [Previous] to return to the previous dialogue or [Cancel] to abort the installation.

2.4 Database

install_database-top.png
install_database-top.png

• Type: Select one of the available database types. At this moment the database used is MySQL. A future version may support PostgreSQL too.
• Server: This is the database server address, usually localhost. Other examples: mysql.exemplum.eu or example.dbserver.provider.net:3306.
• Username: A valid username/password-combination is required to connect to the database server. Please do not use the root account of the database server but a less privileged one, e.g. wasuser or example_wwwa.
• Password: A valid username/password-combination is required to connect to the database server.
• Database name: This is the name of the database to use. Note that this database should already exist; this installation program is not designed to create databases (for security reasons). Examples: www or example_www.
• Prefix:

  NOTICE:
  This option is not available in the Standard installation, but only applies to the Custom installation.

  All table names in the database start with this prefix. This allows for multiple installations in the same database. Note that the prefix must begin with a letter. Examples: was_ or cms2_.

Click [Next] to continue, [Previous] to return to the previous dialogue or [Cancel] to abort the installation.

2.5 Website

install_website_top.png
install_website_bottom.png

• Website title: The name of your website. The name can be changed later on.
• From: address: This e-mail address is used for outgoing mail, e.g. alerts and password reminders. If an email address is visible, it is taken from the Apache webserver. The address can be changed now or later.
• Reply-To: address::

  NOTICE:
  This option is not available in the Standard installation, but only applies to the Custom installation.

  This e-mail address is added to outgoing mail and can be used to specify a mailbox where replies are actually read (by you) and not discarded (by the webserver software).

• Website Directory: This is the path to the CMS Root Folder, i.e the directory that holds index.php, config.php, etcetera, e.g. /home/httpd/htdocs or C:\Program Files\Apache Group\Apache\htdocs.
• Website URL: This is the main URL that leads to the schools website i.e. the place where index.php can be visited. Examples are: http://www.exemplum.eu or https://exemplum.eu:443/schoolsite.
• Program directory:

  NOTICE:
  This option is not available in the Standard installation, but only applies to the Custom installation.

  The path to the CMS Program Folder. As default setting the path is not the same as the CMS Root Folder (usually the CMS Root Folder followed by /program). Examples /home/httpd/htodcs/program or C:\Program Files\Apache Group\Apache\htdocs\program

  NOTICE:
  Do not change this path, unless you know exactly what you are doing!

  NOTICE:
  The folder name program should not be changed.

• Program URL:

  NOTICE:
  This option is not available in the Standard installation, but only applies to the Custom installation.

  This is the URL that leads to the program directory (usually the website URL followed by /program). Examples are: http://www.exemplum.eu/program or https://exemplum.eu:443/schoolsite/program.

• Data directory: The Data Directory is the place where the Install Wizard will create the CMS Data Folder. The CMS Data Folder will hold uploaded images, documents, et cetera. See also 1.3.2 Installing on a server with root acces and 1.3.3 Installing on a server without root access.

  It is very important that this directory is located outside the webservers Document Root [1], i.e. is not directly accessible with a browser. Note that the webserver must have sufficient permissions to read, create and write files here. Examples the the CMS Data Folder are: /home/httpd/wasdata or C:\Program Files\Apache Group\Apache\wasdata.

  [1] With many ISPs (Internet Service Providers) you have no access outside the Document Root.

• Populate database [  ]: Check this box if you want to start with your new website using demonstration data. It's a good idea to check this option. The demo data are excellent for trying the numerous administrative possibilities of Website@School. The demo data can be erased later on if necessary.

• Demonstration password: The same demonstration password will be assigned to all demonstration user accounts. Please choose a good password as described in paragraph 1.4 On secure passwords. You can leave this field blank if you did not check the Populate database box above.

Click [Next] to continue, [Previous] to return to the previous dialogue or [Cancel] to abort the installation.

2.6 User account

install_user_account-top.png
install_user_account-bottom.png

• Full name: Please enter your own name or, if you prefer, another (functional) name, e.g. Wilhelmina Bladergroen or Master Web.
• User name: Please enter the login name you want to use for this account. You need to type this name every time you want to login. Examples: wblade or webmaster.

  NOTICE: A user name consists of maximum 16 characters: lowercase (a-z), digits (0-9), underscore (_)and starts with a letter.

• Password: Please choose a good password as described in paragraph 1.4 On secure passwords. Do not share your password with others, but create additional accounts for your colleagues instead.
• E-mail address: Please enter you e-mail address here. You need this address whenever you need to request a new password. Make sure that only you have access to this mailbox (do not use a shared mailbox). Examples: w.bladergroen@exemplum.eu or webmaster@exemplum.eu.

Click [Next] to continue, [Previous] to return to the previous dialogue or [Cancel] to abort the installation.

2.7 Compatibility

install_compatibility.png

Below is an overview of required and desired settings. You need to make sure that the requirements are satisfied before you continue.

NOTICE:
Required items have an '*' asterisk.

• Website@School: Please check if you have the latest version. It could be necessary to upgrade after an installation.
• Webserver: * You neead Apache version 2.0.53 or hihger.
• Database server: * You need MySQL version 4.0.23a or higher.
• PHP version: * You need PHP version 4.3.10 or higher.
• Automatic session start: * The right value is 'NO'. If a wrong value is shown, you should edit the php.ini file.
• PHP Safe Mode: The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now. This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged. Source: http://php.net/manual/en/features.safe-mode.php.

  NOTICE:
  Not required but strongly advised. In php.ini set safe_mode = Off.

• File uploads: It must be possible to upload files to the CMS Data Folder. If not correct, the CMS Data Folder may have wrong ownerschip and/or permissions.

  NOTICE:
  Take care! Do not set this folder world readable!

• GD Support: GD is an open source program for the dynamic creation of thumbnails. GD creates PNG, JPEG and GIF images, among other formats. The thumbnails are used in the FCK editor.
• Clamscan anti-virus: Clamscan is used to scan uploaded files for viruses. It is highly recommended to scan all uploaded materials from those home or school computers, used by everyone, for viruses.

2.8 Confirmation

install_confirmation_top.png
install_confirmation_bottom.png

You are about to install your new website. Carefully check the configuration settings. Please do as suggested and print this page for future reference.
Thereafter you can press [Next] to start the actual installation process or press [Previous] to correct errors, or [Cancel] to abort the installation.

The installation process may take a while.

2.8.1 Crossroads

1. The configuration file config.php was automatically written to the CMS Root Folder. You see a picture as in 2.9 Finish. Proceed from there.
2. The configuration file config.php was not automatically written to the CMS Root Folder and it must be put there by hand. Please proceed with paragraph 2.10 Download configuration file.

2.9 Finish

install_finish.png

The installation is finished.
It's not a bad idea to check for updates or bug fixes. We assume your version is up to date. Proceed by selecting an item from the dropdown menu:

Jump to:

• admin.php: The default option to login.
• index.php: The location of the school website.
• manual.php: The location of the manual.
• http://websiteatschool.eu: Our location where you can find more about Website@School.

Or click [OK] to go to the default destination: the admin.php login dialogue.

install_login.png

You can now continue reading the manual with the Logging in and out chapter. Or select one of the other options and click [OK] to go there.

2.10 Download configuration file

config.php. You can save it in the was directory on your computer and copy (upload) it with FTP to the CMS Root Folder. This feature is a security measure.

install_finish_download.png

To download the file config.php, proceed as follows:

• Click the Download config.php link.
• A download window opens on your computer:
  
  install_finish_download_save.png

  Select the was directory on your computer (see also 1.3.3 Installing on a server without root access) to save the config.php file.

• With an FTP program, upload the file to the CMS Root Folder.
• Check the file permissions and ownership. Permissions 0400 and user wwww and group root are safe. For further details on the security of this important file that contains your database password, see 3. Tips for a secure installation

The installation is finished.
It's not a bad idea to check for updates or bug fixes. We assume your version is up to date. Proceed by selecting an item from the dropdown menu:

Jump to:

• admin.php: The default option to login.
• index.php: The location of the schools website.
• manual.php: The location of the manual.
• http://websiteatschool.eu: Our location where you can find more about Website@SChool.

Or click [OK] to go to the default destination: the admin.php login dialogue:

install_login.png

You can now continue reading the manual with the Logging in and out chapter. Or select one of the other options and click [OK] to go there.

(top)

3. Tips for a secure installation

NOTICE:
Securing an installation, thus protecting the schools website, the (sometimes) confidential data and the server itself can be complicated to perform. Mistakes are easily made. If you are unfamiliar with the intricacies in this paragraph, please ask help from a local Linux group. The operations should not be performed by someone who hasn't done it before.

This paragraph discusses the points to check for a secure installaton. However, it is impossible to describe all possibilities and their exceptions. Do not hesitate to ask help from a local Linux group or ask for support.

All program files of Website@School are installed in the so called CMS Root Folder. The CMS Root Folder is often the same as the webserver Document Root. However, it is also possible to use a subdirectory of the webserver Document Root instead.

Furthermore, for a good installation a separate Data Directory is necessary. After installation is complete, this Data Directory will contain the CMS Data Folder.

3.1 Program files and configuration file

After a successful installation, the CMS Root Folder, i.e. the webserver Document Root, or the self chosen subdirectory, should contain the following files and directory. Observe permissions and ownership:

-rw-r--r-- 1 root root 2210 Feb 1 14:00 admin.php -rw-r--r-- 1 root root 7827 Feb 1 14:00 config-example.php -r-------- 1 www root 754 Feb 1 11:10 config.php -rw-r--r-- 1 root root 2204 Feb 1 14:00 cron.php -rw-r--r-- 1 root root 2653 Feb 1 14:00 file.php -rw-r--r-- 1 root root 2675 Feb 1 14:00 index.php drwxr-xr-x 1 root root 824 Feb 2 10:11 program

The CMS Program Folder program/ contains dozens of files and subdirectories. Together these form the Website@School program.

Finally, there is the configuration file config.php. This file (which is created by the Install Wizard) must be placed in the same directory as the other files, i.e. in the CMS Root Folder.

It is sufficient for the webserver (Apache) to only have read permissions on all these program files and subdirectories. This also applies to the configuration file config.php.

Security wise it is best to make sure that the webserver (Apache) has no write permissions on these program files and (sub) directories. This also applies tot the configuration file config.php.

For additional security and protection of the data in config.php it makes sense to limit the permissions on that file even further.

On a Linux server it speaks for itself to set these read- and write permissions as follows:

- All files, with the exception of config.php, get permissions 0644 and are owned by user root and group root.
- Al directories get permissions 0755 and are owned by user root and group root.
- The file config.php gets permissions 0400 and becomes owned by user www and group root.

NOTICE 1:
It is also possible to give the files (except config.php) permissions 0444 and the directories permissions 0555, but this adds factually little when the files are owned by user root, because anyhow user root has all permissions, also write permissions, on any file.

NOTICE 2:
In this example user www is used as the account under which the webserver (Apache) is running. Depending on the specific system, this can also be the user apache or nobody. Please consult the documentation and/or configuration of the webserver.

NOTICE 3:
The file config.php is a case on its own. This file contains the database password. For that reason it is good to only and exclusively give the webserver (Apache) read permissions on this file and no other user or group.

NOTICE 4:
If it is not possible to make the files (except config.php) and directories owned by user root and group root, then it is also possible to choose another user and group, as long as it is not the webserver user and group for that purpose. Permissions 0644 or 0755 are usable.

3.2 Data files

For a fully functional Website@School, also storage space is needed, preferably outside the websrervers Document Root.
During the installation in step 2.5 Website you have entered a path, for example /home/httpd/wasdata.

For security reasons the installer creates a subdirectory inside this directory: This we call the CMS Data Folder. The full path of the CMS Data Folder is the Data Directory path followed by a difficult to guess directory name of 32 letters and digits, for example: /home/httpd/wasdata/b27b7d81c0ea26c4885784564bda2e11.

It is necessary that, during the installation, the webserver (Apache) has read-, write- and execute permissions in the Data Directory (for example wasdata), in order to create the CMS Data Root.
After finishing the installation the write permissions can be minimised, as long the read and search permissions for the webserver remain.

3.2.1 Outside the document root

Concerning security it is strongly advised that the CMS Data Folder is located outside the webserver Document Root.

Example 1:
On the Linux server /home/httpd/htdocs is the webserver Document Root. In that case a secure choice for the Data Directory is /home/httpd/wasdata. This results in:
- Data Directory: /home/httpd/wasdata
- CMS Data Folder: /home/httpd/wasdata/fa0aff7743cd61f2afb473ca528fd431

During the installation, the Data Directory must have permissions 0700 with user www and group root. After finishing the installation, it is sufficient to set the permissions of this directory to 0500 with user www and group root.

Example 2:
On a Linux server /var/www is the webserver Document Root. The Data Directory could be located in /var/wasdata. This results in:
- Data Directory: /var/wasdata
- CMS Data Folder: /var/wasdata/fa0aff7743cd61f2afb473ca528fd431

During the installation, this Data Directory should have sufficient file access permissions, e.g. by -- temporarily -- elevating permissionss to 0777, with user wblade and group users. After finishing the installation, it is sufficient to set the permissions of this directory to 0555 with user wblade and group users.

User wblade is Wilhelmina Bladergroen, the systems administrator of the Exemplum Primary School. For explanation on this user and the school see the ServerAtSchool documentation at http://serveratschool.net/doc/manual/overview.html#h2

NOTICE:
The permissions and ownership of the underlying directories created by the Installation Wizard, must remain as they are. Here is an example:

drwx------ 3 www www 240 Feb 6 13:53 fa0aff7743cd61f2afb473ca528fd431

3.2.2 Inside the document root

Concerning security it is strongly advised to have the CMS Data Folder located outside the Document Root. If, for some reason or another, this is not possible, then choose a difficult and long directory name to make it difficult for a third party to find this directory by 'guessing'. After all, all documents are in pinciple direcly accessible, provided the name of the document is known.

Example 1:
On a Linux server /home/httpd/htdocs is the webservers Document Root. If the Data Directory and hence the CMS Data Folder is to stay in there, then b27b7d81c9ea26q4885734564qda2e12 looks like a good, difficult to guess subdirectory name. This results in:
- Data Directory/home/httpd/htdocs/b27b7d81c9ea26q4885734564qda2e12
- CMS Data Folder: /home/httpd/htdocs/b27b7d81c9ea26q4885734564qda2e12/fa0aff7743cd61f2afb473ca528fd431

The permissions of the Data Directory during the installation are 0700 with user www and group root. After the installation permissions 0500 with user www and group root are enough.

Example 2:
On a Linux server /var/www is the webservers Document Root. If the Data Directory and hence the CMS Data Folder is to stay in there, then b27b7d81c9ea26q4885734564qda2e12 looks like a good, difficult to guess directory name. This results in:
- Data Directory: /var/www/b27b7d81c9ea26q4885734564qda2e12
- CMS Data Folder: /var/www/b27b7d81c9ea26q4885734564qda2e12/fa0aff7743cd61f2afb473ca528fd431

During the installation, the Data Directory has --temporarily-- permissions 0777 with user wblade and group users. After the installation it is sufficient to set back the permissions of this directory to 0555 with user wblade and group users.

User wblade is Wilhelmina Bladergroen, the systems administrator on the Exemplum Primary School. For explanation on this user and the school see the ServerAtSchool Documentation at http://serveratschool.net/doc/manual/overview.html#h2

NOTICE:
The permissions and ownership of the underlying directories created by the installation wizard, must remain as they are.

3.3 Further information

This manual is not a study book on server security. For safety contact your systems administrator or ISP (Internet Service Provider) for a possibly even tighter installation or contact the Website@School support at support@websiteatschool.eu.

NOTICE:
Before making use of your installation, please also read the next section to check some of the configuration items that affect security.

(top)

4. After the installation

When you have successfully completed the previous section, please also check the following items that either affect the security of your installation or prevent problems. All items are described in the Configuration Manager, paragraph 5. Site.

4.1 Virus scanning

On a school server with so many users able to upload files from anywhere, scanning for viruses is a must. In the procedure below we describe how to check if virus scanning is indeed functioning.

First check at [ ] Scan files for viruses on upload, the box is checked. Then perform the following test to verify the correct operation of the virus scanner by creating a special 'test virus'. There is a standard test, developed explicitly for testing antivirus programs. It was developed by the European Institute for Computer Anti-Virus Research (EICAR). You can easily create this test using any text editor. The test file consists of 68 plain ASCII characters as shown below. Note that the 3rd character is a capital 'O' and not the digit '0'.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Now store these 68 characters in a file. Do not name it EICAR.COM, as suggested by the Institute, because by default .com is a not allowed file extension in Website@School. Maliciously name it image.png, so it will be accepted, and upload it to your My Files location. The virus should be detected and an error message must be generated like:

install_after_install_virus.png

If the virusscanner is properly installed and found during installation, but it is for some reason not working during the upload, a message like the following is displayed. Notice 'Error 2'.

Filename(1): Error 2 while scanning for viruses, file 'other_image.bmp'
Files added: 0, files ignored: 1 .

More information on EICAR.COM can be found on the EICAR web site at http://www.eicar.org/anti_virus_test_file.htm.

Note that this EICAR.COM file in itself is a valid but harmless DOS program. When executed (in a DOS box), it simply displays the text 'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!', nothing more.

This sub paragraph on testing with a virus is gracefully copied and slightly adapted from http://serveratschool.net/doc/, the ServerAtSchool Documentation, where the installation of a secure school server is discussed.

4.2 Session name

In every installation of Website@School the session name is the same. A bit of extra security can be added by changing the session name WASSESSION to something else. After changing, log out and in again.

4.3 Proxy friendly URLs

Easy to change after the installation, however when this change is done some time in the future, it might give you a lot of work. Please read about this item in the Configuration Manager, paragraph 3. Site

(top)

5. Errors

Below the most common errors during the installation procedure are discussed.

5.1 Cancelled installation

When the installation is cancelled, it is because the Website@School installer found an already existing config.php configuration file. This is a security feature that prevents overwriting an existing configuration file. Check if the file exists. If this is the case, either delete or rename it. You cannot accidently overwrite an existing config.php file while doing a new installation of Website@School, even when the file permissions would allow it.

Click [OK] to return to the language selection. It is possible to download the config.php file. See paragraph 2.10 Download configuratoin file.

5.2 Unable to write in Data Directory

When you have created the data directory with the wrong ownership (for example root.root), you can get an error message like:

Error: Data directory: directory can not be created: /home/httpd/htdocs/wasdata/6a69137e2689c8f91873e0634ca46bda.

You get the same type of errors when the file permissions are too low (for example 000 or 600). Here is an example of minimal permissions and ownership:

drwx------ 2 www www 48 Feb 3 16:49 wasdata

5.3 Config.php write problems

The installer can be unable to write [1] the configuration file config.php because the directory is write protected. In that case, you have the possibility to download config.php and save it on your computer. Then copy it to the location you choose to put the program in. This feature could be seen as a security measure.

[1] For example when Website@Schools CMS Root Folder has permissions like:

dr-x------ 3 www www 240 Oct 21 13:53 htdocs

It is impossible to write in the directory.

(top)

6. Concluding remarks

Your Website@School is ready for use. Please take the Guided Tour to have a quick introduction to some (but not all) features of Webiste@School.

(top)

---

Prev	Home	Next
Introduction		Logging in and out

Author: Dirk Schouten <schoutdi (at) knoware (dot)

Last updated: 2011-07-11