[pmwiki-users] Protection of attachments!?!

Patrick R. Michaud pmichaud at pobox.com
Wed Nov 30 11:08:35 CST 2005 

On Wed, Nov 30, 2005 at 05:51:02PM +0100, Mikael Nilsson wrote:
> ons 2005-11-30 klockan 07:41 -0600 skrev Patrick R. Michaud:
> > On Wed, Nov 30, 2005 at 02:16:39PM +0100, Mikael Nilsson wrote:
> > > Sorry for the spam, here's the solution:
> > > 
> > > http://www.pmwiki.org/wiki/Cookbook/SecureAttachments
> > 
> > It's also mentioned on the PmWiki.UploadsAdmin page, in the section
> > "Password protecting uploaded files".  But perhaps the description
> > needs improvement (feel free to improve it).
> 
> Actually I think the documentation is adequate, I was just somehow
> blind. However, I'm thinking that maybe pmwiki should try to proceed
> down the "secure by default" route?

Several times in the past I've thought about doing "secure by default",
but I'm not sure it's what would make PmWiki most accessible to new
installers.

>From time-to-time we've also discussed having an "installation analysis"
script that would review the current settings and environment and point
out things that might be overlooked.

> It's starting to get a but frustrating to try to hunt down possible
> "holes". A friend of mine has had the same experience that you never
> really know if there are gaping holes left... The default settings for
> passwords is very confusing, as some pages and groups override the
> site-wide settings, for no *obvious* reason.

The default settings are as follows:
   The default admin password is locked.
   Main.GroupAttributes locks the attr password for pages in the Main group.
   PmWiki.GroupAttributes locks the attr password for pages in the PmWiki group.
   Site.GroupAttributes locks editing for pages in the Site group.
   By popular demand, Site.SideBar is unlocked for editing.

> At the very least, it should be documented very clearly what steps are
> needed to lock down an installation:
> 
> * Provide passwords etc. in config.php
> * Check all GroupAttribute pages so that they do not 
>   improperly override this (They do out of the box).

Unfortunately there's not widespread agreement about what constitutes
"improperly override".

> * Check at least Site.SideBar
> * Secure attachments.
> * Maybe more that I have missed? Please add!

Probably set $EnablePageListProtect if there are read-protected
pages that shouldn't appear in page listings.

> Please tell me where in the wiki this information should be added and
> I'll give it a try, unless you plan to fix it in another way.

I think it probably belongs in a cookbook recipe for now, although
we can potentially add it to the main documentation.

Pm

More information about the pmwiki-users mailing list