Skip to content

Making Kalkun more secure

Jump to bottom Edit New page
tenzap edited this page Mar 16, 2022 · 3 revisions

Kalkun security

In it's default installation Kalkun puts all files in DocumentRoot of the webserver (let's say it is /var/www/kalkun/). The only files that need to be directly accessed from HTTP are index.php and files in media/ subdirectory (and the install file to enter setup wizard). All other files are PHP source files, configuration files, log files, cache files etc. These should never be displayed to a remote user as they may contain sensitive information. Kalkun source files are protected from direct display by this code at the beginning of every sensitive file:

if ( ! defined('BASEPATH')) exit('No direct script access allowed');

The BASEPATH constant is defined in index.php. That causes PHP to exit on first line of every PHP script that is called directly by a remote user.

Possible problems

But what will happen if the developers of Kalkun forget to add the magic first line to a sensitive config file? Or what will happen if the hosting server switches PHP module off accidentally? Or what will happen to files that don't have the .php extension? Direct access to sensitive data is possible in these circumstances.

Proposed solution

You can make your Kalkun installation even more secure. Create a dedicated subdirectory /var/www/kalkun/www/ and put there files that are necessary for web UI:

cd /var/www/kalkun/
mkdir www
mv index.php media www
mv install www

Now edit that index.php and update:

$system_path = 'vendor/codeigniter/framework/system'

to read:

$system_path = "../vendor/codeigniter/framework/system";

Then edit application/config/config.php and update:

$config['composer_autoload'] = 'vendor/autoload.php';

to read:

$config['composer_autoload'] = '../vendor/autoload.php';

Finally edit your Apache config for Kalkun virtual host and change:

DocumentRoot /var/www/kalkun/

to read:

DocumentRoot /var/www/kalkun/www/

Finish by reloading Apache:

/etc/init.d/apache2 reload

Now your Kalkun installation is more secure as there is absolutely NO way for a remote user to directly access Kalkun or CodeIgniter system files, cache files, configs etc.

Disable error display

You may also disable error display. Especially when in production. This can be done through the CI_ENV environment variable. Set it to production. See the .htaccess file. More details in the CodeIgniter documentation.

Add a custom footer
Clone this wiki locally