[Pmwiki-users] file permissions

Patrick R. Michaud pmichaud
Mon Aug 11 00:26:42 CDT 2003 

On Mon, Aug 11, 2003 at 01:23:49AM +0200, erik de wild wrote:
> This is not a question but more a point of discussion. It's about the 
> permissions you should set on the PMwiki files and directories. The 
> recommended permission give users the change, when the configuration of 
> the apache server allows, to look what files are there and what the 
> content is.

Umm, by "users" here are you refering to people who are able to log into
the server, or people who are simply browsing via the web?  If you're
referring to people browsing via the web, PmWiki tries to prevent this
from happening by creating .htaccess files that deny access to files in
the subdirectories.  You can also create a .htaccess file to limit
permissions to the pmwiki root directory.  Or, you can do as I do on
some of my sites, and move the pmwiki directory completely out of
the web hierarchy and access it with a different URL (see
http://www.pmichaud.com/wiki/PmWiki/ChangePmWikiURL for ideas on how to do
this).

If you're talking about users who can log into the server, there's very
little that can be done to prevent them from being able to access the
files.  I can explain further if desired.  :-)

> Giving group members all the permissions needed to do everything with 
> the site is a security leak because a hacker can add his/herself to the 
> group and do anything with the site he or she wants.

If a hacker has the ability to add himself/herself to a unix group, then
they generally already have sufficient permissions to do anything with 
the site he/she wants, as adding a user to a group usually requires
root permissions.

> I think the safest way to run a PMwiki site is to give the user linked 
> to the webserver (apache, noboddy, www) full permissions but the group 
> or others none.

You can do this, but it also makes it very difficult to remove files or
create backups of the pmwiki installation, because the files become
readable only by the webserver.  Depending on the server configuration,
allowing group access to the files doesn't significantly affect system
security.

> I still have a lot of questions but this is my third mail for the 
> evening. If this is to much please let me know in a gentle way.

Questions are generally welcome, at least by me.  :-)

Pm

More information about the pmwiki-users mailing list