netenberg.com
April 21, 2014, 10:40:13 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News:
 
   Home   Help Search Login Register  
Pages: [1]   Go Down
  Print  
Author Topic: Moodle config.php  (Read 5553 times)
lms
Newbie
*
Posts: 8


« on: May 27, 2010, 08:33:16 AM »

Hi,

I've noticed a couple issues with the how fantastico script does a moodle upgrade from one version to next. I'm specifically referring to an moodle 1.9.7 to 1.9.8.

Upon upgrade, a new config.php gets written to the public_html directory. Two issues:

1. Data directory: The line reads something like $CFG->dataroot  = '/home/accountname/public_html/uploaddata' ; It is more secure to locate this directory outside webroot and sysadmins expect this dir to be titled 'moodledata'. so a path like '/home/accountname/moodledata' is best practice. Upon upgrade, unsuspecting teachers and student may not be able to access their courses and sysadmins may not realise that there config file is no longer pointing the 'moodledata' located outside webroot.

2. Password salt: This is a new feature from moodle 1.9.7. A random string or salt is added to all user passwords. The line reads something like $CFG->passwordsaltmain = ',Fpw4B[wAEA1*rb3&~07zeox' ;  Upon upgrade, the new config file replaces the 'old' salt with a 'new' salt. This effectively locks all users out of the LMS, including admins, because the md5 hash passwords stored in the mysql database contain the 'old' salt. Users may be able to use the password retrieve function, but this will inconvenience many thousands of users. Unsuspecting sysadmins will not be aware that the password salt has been changed and not understand why users cannot login to the LMS.

http://docs.moodle.org/en/Password_salting

My strong recommendation is that the fantastico script does NOT edit the config.php file during a moodle upgrade. What do other Moodlers think? I'd encourage the fantastico developers to join the dialogue.
Logged
Mahendra
Administrator
Maestro
*****
Posts: 1932



« Reply #1 on: May 27, 2010, 10:24:44 AM »

> My strong recommendation is that the fantastico
> script does NOT edit the config.php file during a
> moodle upgrade. What do other Moodlers think? I'd
> encourage the fantastico developers to join the
> dialogue.

Thanks for the detailed explanation. We will definitely implement both of these suggestions of yours in the upcoming and subsequent releases.
Logged
lms
Newbie
*
Posts: 8


« Reply #2 on: May 27, 2010, 07:04:45 PM »

Ok, thanks. We look forward to the update.
Logged
lms
Newbie
*
Posts: 8


« Reply #3 on: June 11, 2010, 09:20:25 AM »

another recommendation: during initial moodle install, the script should make the directory called 'moodledata' and locate it outside webroot. locate this directory in a more secure location.

so the config.php file needs to contain a line like...

$CFG->dataroot  = '/home/accountname/moodledata' ;

---

NOT

$CFG->dataroot  = '/home/accountname/public_html/uploaddata' ;
Logged
Pages: [1]   Go Up
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.15 | SMF © 2011, Simple Machines Valid XHTML 1.0! Valid CSS!