Page 1 of 1

Intranet Administration / Internet Presentation

Posted: Tue Jan 08, 2008 11:29 am
by klaus_s
Hi folks,

I'm currently in the process of hardening my 1.5 installation. The following may sound a little paranoid so I apologize here already ...

I was wondering whether it is possible to run two Joomla instances on the same database. Motivation: the "Internet" instance would have largely reduced database permissions (thus shielding from SQL injections) whereas the "Intranet" instance would have a "full permission" DB user  in order to add content. I have no visitor-driven (Joomla-handled) content.

So the questions are .....
a) is it possible to run two Joomla instances on the same DB using two different DB users with different permissions
b) if so - can I revoke the MySQL insert/delete/update permissions for the for the site content tables (for the internet instance) keeping the naked presentation capabilities intact ?

I haven't looked into the DB table attributes yet - I think you're tracking the page traffic somewhere so I'm not sure whether b) can work out as envisioned. 

I'm running a fairly large site which is being attacked on a regular basis (unsuccessfully to date) so I'm feeling a bit uneasy to move away from my proprietary "CMS" but visually it's very dated by now so I need to move on and Joomla Templates are cool looking and the content management is pretty nice.

Thanks

Klaus

Re: Intranet Administration / Internet Presentation

Posted: Tue Jan 08, 2008 10:39 pm
by klaus_s
Well, actually I just simply gave it a try.

I disabled the Joomla session handling (therefore no DB inserts here) and granted DB SELECT permissions only to the Joomla DB user. Generally no problem but one (only checked in RC3 using the standard dummy content) - Joomla has a build-in banner tracking performing an DB update which produced an error within banner.php. After disabling the RaiseError call here I didn't run into a problem anymore during surfing on the dummy portal. Will do more testing but it seems that it is viable to run a 100% SQL-injection-resistant Joomla frontend instance (with a reduced feature set naturally but I don't mind within my scope).  Cool. This helps to sleep at night.  ;D

Will also try the DMZ-shielded shadow Joomla instance (with a full scale DB user for adding content) unless someone thinks this is senseless ... ?