[pmwiki-users] WikiFarm Security, Are Suspenders Really Necessary?
Sandy
sandy at onebit.ca
Mon Nov 20 09:27:37 CST 2006
Anyone?
Sandy
Sandy wrote:
> Small site, hoping to become more small sites. Using CPanel, Apache,
> SmartFTP. No shell access. No shopping cart or automated money or credit
> card numbers. Frequent backups by copying everything back down to my
> home machine.
>
> While moving the engine out of the web directory, moving /pub and /skins
> back into the web directory, repointing the path variables and learning
> how to do symlinks and .htaccess, the suspenders tied me into knots.
> Never did untangle them. Not looking forward to updates.
>
> Then Pm pointed out suspenders might be overkill!
>
> Assuming I do the following, what risk am I really running?
>
> 1. Copy the pmwiki program and all that comes with it to
> /www/pmwiki/pmwiki.php.
>
> 2. Edit the farm's local/config.php to contain
> <?php exit();
> Do the same with /pmwiki/index.
>
> 3. Create sites in /www/sites . Use the "slightly more secure" method
> for creating wiki.d directories:
>
> 3a. Chmod 2777 . on /www/sites/site1 .
> 3b. Run PmWiki.
> 3c. Chmod 755 . to lock /www/sites/site1 up again.
>
> (Side question: what does the . in the chmod command do? SmartFTP won't
> allow it.)
>
> 4. Lock everything down tight using AuthUser, to make a CMS system.
>
> Next steps are purely cosmetic, but done at the same time:
>
> 5. Use CPanel to create subdomains, so www.site1.mydomain.com points to
> /www/sites/site1 (and so on).
>
> 6. Use $EnablePathInfo and .htaccess mod_rewrite to get CleanURLs that
> don't look like they're from a wiki. (Use trial and error or ask for
> help with mod_rewrite.)
>
> 7. Stick to recipes by known contributors and/or with Pm's blessing.
>
> So, what would the hackers be able to do?
>
> Thanks in advance,
>
> Sandy
More information about the pmwiki-users
mailing list