[pmwiki-users] WikiFarm Security, Are Suspenders Really Necessary?

Sandy sandy at onebit.ca
Fri Nov 10 10:00:04 CST 2006


Small site, hoping to become more small sites. Using CPanel, Apache, 
SmartFTP. No shell access. No shopping cart or automated money or credit 
card numbers. Frequent backups by copying everything back down to my 
home machine.

While moving the engine out of the web directory, moving /pub and /skins 
back into the web directory, repointing the path variables and learning 
how to do symlinks and .htaccess, the suspenders tied me into knots. 
Never did untangle them. Not looking forward to updates.

Then Pm pointed out suspenders might be overkill!

Assuming I do the following, what risk am I really running?

1. Copy the pmwiki program and all that comes with it to 
/www/pmwiki/pmwiki.php.

2. Edit the farm's local/config.php to contain
	<?php exit();
Do the same with /pmwiki/index.

3. Create sites in /www/sites . Use the "slightly more secure" method 
for creating wiki.d directories:

3a. Chmod 2777 . on /www/sites/site1 .
3b. Run PmWiki.
3c. Chmod 755 . to lock /www/sites/site1 up again.

(Side question: what does the . in the chmod command do? SmartFTP won't 
allow it.)

4. Lock everything down tight using AuthUser, to make a CMS system.

Next steps are purely cosmetic, but done at the same time:

5. Use CPanel to create subdomains, so www.site1.mydomain.com points to 
/www/sites/site1 (and so on).

6. Use $EnablePathInfo and .htaccess mod_rewrite to get CleanURLs that 
don't look like they're from a wiki. (Use trial and error or ask for 
help with mod_rewrite.)

7. Stick to recipes by known contributors and/or with Pm's blessing.

So, what would the hackers be able to do?

Thanks in advance,

Sandy





More information about the pmwiki-users mailing list