New to FarmOS. Have my hosting set up with Farmier. As I began uploading files, the warning about paraphrasing here… “anyone with the URL can access these files”… leaves me more than a bit concerned. How is the data security managed within FarmOS ? Seems this warning would indicate the database has a significant data security opening and it’s not secure for confidential private information. Can outside parties access my data? Would appreciate clarification regarding what this warning implies.
Hi @graffte - See this other forum post for some more details and background: File attachements public by default? If so, what's the best strategy for making them private?
The summary is: by default Drupal saves files using the “public file system”, which puts them in
sites/[url]/files, and although that cannot be browsed by the public, if someone knows the exact URL of an uploaded file they can go to that URL directly in a browser and see the file.
So it is “security through obscurity” right now, which I agree is not ideal. The only way it can be exploited is if someone knows an exact URL of a file. Worth noting that this has nothing to do with the “database” of farmOS (log, assets, area records/relationships/history). It is only uploaded files.
The solution to this is to switch to using the “private file system” in Drupal, which forces all requests for those files to go through Drupal’s access control logic. I am hoping to make that the default on Farmier hosting. It hasn’t been a big priority, but now that you bring it up my interest is revived.
Hope that all makes sense. I may be able to enable private files on your farmOS specifically as an initial test. Direct message me with your URL and let’s give it a try. One of the main considerations is that I’m not sure how it will work if we switch from public to private after files have already been uploaded - but if you haven’t uploaded any then that isn’t a problem.
Thanks for the explanation. I don’t think I’m comfortable with an “obscurity” based security solution. I’d much prefer moving to the private file system you describe. Too many bad actors out there these days running automation to troll for anything they can find. In my day job, while I’m not a not a software database expert, I participate on an corporate technology leadership board within a fortune 500 company that oversees product cyber security. You can’t take cyber security serious enough these days. Private data needs to be locked down.
I would be happy to be the guinea pig to see how the conversion from public to a private file system behaves. I just started loading a few files. Mostly photos of some of my fields. If I have to reload again, not a big deal. Much rather have the private file system in place.
How do I direct message you?
@graffte - I sent you a DM - let’s give this a try!
Update for anyone else finding this topic in the future: I am in the process of deploying private file uploads to all Farmier hosted instances. So this warning will go away soon.
Thanks @graffte for the push.