Security: eZ publish security

For a general description of security, we recommend Computer security on Wikipedia.

eZ publish is very secure! The U.S Department of Defense uses eZ publish!

eZ publish security

eZ Publish Security Advisories

Published on ez.no, eZ Publish Security Advisories

Securing eZ publish

eZ publish in production! A look at hardening best practices.

File Permissions

"Also in productive environments the extension directory should not be any longer writeable to apache cause of security." -- [email protected]

1. Installation directory permission

Database Permissions

1. Use a separate user for each eZ publish installation
2. Reduce user database server permissions to minimum.
   1. Forum: MySQL Database Privileges Required

eZ publish Administration

SSL

1. Use an browser and web server which supports ssl/https. Require all login and admin usage use ssl.
2. The use of ssl protects the clear text information (username and password) during transmission.

ACL

1. Use an httpd browser based authentication realm to protect eZ publish
2. The use of two forms of authentication, ACL and eZ reduces greatly the chance someone can compromise eZ publish

eZ publish Users, Groups, Roles and Permissions

1. Do not use the 'admin' user. This is similar to the unix-like operating system's rule to use a non-privileged user as much as possible.
2. If you need more permissions, create a group called say 'ez-admin', and add a new user 'eza-john' to the group. Add permissions as needed to your group/user roles.

• Example #1 - Email Abuse

Security related topics

• Antivirus software
• Encryption
• Spam
• Captcha

External resources

• Forum topic about MySQL database privileges on ez.no
• how avoid tip a friend abuse?