#20689 protecting files when allowing access to third party developers
Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a
Latest post by nicholas on Friday, 08 August 2014 16:12 CDT
Friday, 08 August 2014 03:47 CDT
MelanieB
Friday, 08 August 2014 03:58 CDT
MelanieB
Hi,
my apologies I posted the ticket accidently - I thought I was browsing help files.
This is a general question about security, and whether admin tool can protect me. I have to occasionally let third party developers in to my front and backend, and via ftp to fix issues with their components I have purchased.
In the past I have given this access (naive) and been bitten a few times as a result. On the last occasion, I noticed 'someone' had created a new ftp account called [email protected].
Is there any way (using akeeba admin) we can protect ourselves from this sort of thing? For example can we:
1. Protect people (3rd party devlopers who need access) from being able to backup and download our sites using the backup manager - or browsing to the akeeba backup folder on the server
2. Protect the configeration.php file
3. Protect from 3rd party developers to be able to install files on Joomla Administrator like file browser/manager files?
4. Protect from creating new ftp accounts
Any advice would be appreciated
Mel
my apologies I posted the ticket accidently - I thought I was browsing help files.
This is a general question about security, and whether admin tool can protect me. I have to occasionally let third party developers in to my front and backend, and via ftp to fix issues with their components I have purchased.
In the past I have given this access (naive) and been bitten a few times as a result. On the last occasion, I noticed 'someone' had created a new ftp account called [email protected].
Is there any way (using akeeba admin) we can protect ourselves from this sort of thing? For example can we:
1. Protect people (3rd party devlopers who need access) from being able to backup and download our sites using the backup manager - or browsing to the akeeba backup folder on the server
2. Protect the configeration.php file
3. Protect from 3rd party developers to be able to install files on Joomla Administrator like file browser/manager files?
4. Protect from creating new ftp accounts
Any advice would be appreciated
Mel
Friday, 08 August 2014 07:31 CDT
nicholas
Akeeba Staff
Manager
Hello Mel,
First of all, Admin Tools runs inside Joomla!. You are wondering about an FTP and hosting level security issue which is many layers before Admin Tools even has the chance to run. So no, Admin Tools can't help you with that.
Regarding your questions, please let me give you a friendly answer as a web developer and long time Linux geek:
1. Only if you don't give them FTP and Super User access. However, this is impossible if you expect them to be able to help you.
2. Only if you don't give them FTP access. However, this is impossible if you expect them to be able to help you.
3. Only if you don't give them Super User access. However, this is impossible if you expect them to be able to help you.
4. OK, that's the only feasible restriction! When giving them an FTP account to connect to your site DO NOT give them your FTP account which has the same username and password as your host's cPanel! Instead, create a new FTP account in cPanel and give the credentials of the new account to the developers. You can ask your host how to do that.
Finally, if the developers of the extensions you have installed on your site cannot be trusted to work on it without stealing data / causing havoc it is imperative that you uninstall their software. In order to explain why I will present you the argument I use with clients you won't give me FTP access for security reasons: "I am a developer. I have written PHP code which you can't understand. You have knowingly installed and are currently running my PHP code, on your site, on your server. Had I wished to hack your site I would have included a backdoor in my PHP code. You would not be able to know that unless you hired another very expensive developer to review my code. Therefore our relationship is based on implicit trust. I trusted that you would pay me for my software and services, you trusted that I won't try to hack you." I think you get the picture.
First of all, Admin Tools runs inside Joomla!. You are wondering about an FTP and hosting level security issue which is many layers before Admin Tools even has the chance to run. So no, Admin Tools can't help you with that.
Regarding your questions, please let me give you a friendly answer as a web developer and long time Linux geek:
1. Only if you don't give them FTP and Super User access. However, this is impossible if you expect them to be able to help you.
2. Only if you don't give them FTP access. However, this is impossible if you expect them to be able to help you.
3. Only if you don't give them Super User access. However, this is impossible if you expect them to be able to help you.
4. OK, that's the only feasible restriction! When giving them an FTP account to connect to your site DO NOT give them your FTP account which has the same username and password as your host's cPanel! Instead, create a new FTP account in cPanel and give the credentials of the new account to the developers. You can ask your host how to do that.
Finally, if the developers of the extensions you have installed on your site cannot be trusted to work on it without stealing data / causing havoc it is imperative that you uninstall their software. In order to explain why I will present you the argument I use with clients you won't give me FTP access for security reasons: "I am a developer. I have written PHP code which you can't understand. You have knowingly installed and are currently running my PHP code, on your site, on your server. Had I wished to hack your site I would have included a backdoor in my PHP code. You would not be able to know that unless you hired another very expensive developer to review my code. Therefore our relationship is based on implicit trust. I trusted that you would pay me for my software and services, you trusted that I won't try to hack you." I think you get the picture.
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Friday, 08 August 2014 08:32 CDT
MelanieB
Hi Nicholas,
thanks for your reply - appreciated.
I trust most of the developers I work with, its just the occasional one that lets me down - which is a shame.
I had done as you suggested - created alternative FTP account etc. Its scary that the code can be added without us knowing.
One last question, would the file change scanner in admin tools be able to identify what files where changed after a third party has been in?
I know I sound paranoid, but as you can appreciate, we spend a lot of time and money building are little websites, that it can be a crushing blow if it becomes corrupted.
I love akeeba by the way - its saved me so much time and hassle over the years.
Mel
thanks for your reply - appreciated.
I trust most of the developers I work with, its just the occasional one that lets me down - which is a shame.
I had done as you suggested - created alternative FTP account etc. Its scary that the code can be added without us knowing.
One last question, would the file change scanner in admin tools be able to identify what files where changed after a third party has been in?
I know I sound paranoid, but as you can appreciate, we spend a lot of time and money building are little websites, that it can be a crushing blow if it becomes corrupted.
I love akeeba by the way - its saved me so much time and hassle over the years.
Mel
Friday, 08 August 2014 16:12 CDT
nicholas
Akeeba Staff
Manager
> One last question, would the file change scanner in admin tools be able to identify what files where changed after a third party has been in?
Yes, of course. You need to run it before and after. Modified and added files will be noted as such.
> I know I sound paranoid, but as you can appreciate, we spend a lot of time and money building are little websites, that it can be a crushing blow if it becomes corrupted.
You don't sound paranoid. Not to me. I honestly do understand you :)
Yes, of course. You need to run it before and after. Modified and added files will be noted as such.
> I know I sound paranoid, but as you can appreciate, we spend a lot of time and money building are little websites, that it can be a crushing blow if it becomes corrupted.
You don't sound paranoid. Not to me. I honestly do understand you :)
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!