Recent Changes - Search:

Cookbook

PmWiki

pmwiki.org

FarmSecurity

Summary: Some things to know about PmWiki.WikiFarm security.
Status: Stable
Version: 3
Prerequisites: pmwiki-2.0
Maintainer: Hagan Fox
Discussion: FarmSecurity-Talk
Categories: Security WikiFarms

This page explores some WikiFarm security concerns.

Questions that are answered by this recipe

What should I do to "lock down" my farm installation? How can I make sure there won't be an unintentional open wiki running on my server?

The home wiki

A wiki located in the same directory as the PmWiki software is called the home wiki. If you start with a stand-alone installation and add a wiki, the original wiki becomes a home wiki. For many farm installations there's no compelling reason to stop using the home wiki, although usually when an administrator installs a farm from scratch it's disabled.

Keeping the home wiki

The main difference between a home wiki and a wiki installed in other than the PmWiki directory is that any cookbook recipe or anything placed in the home wiki's pub/ directory, skins in particular, becomes available to any wiki in a farm. These point to the same directory in the home wiki, and different directories otherwise:

include_once("$FarmD/cookbook/recipe.php");
include_once("cookbook/recipe.php");

As a "best practice" it is probably wise to always use the top style in a home wiki.

Moving a home wiki

For the most part moving a home wiki to another directory only involves creating a new empty wiki from scratch and moving wiki.d/ and local/config.php to it.

There's one caveat: You can't always just copy or move a config.php file from a home wiki to a non-home wiki and have it work. You need to switch to the top version of the two examples above, where "$FarmD/" is part of the path to scripts in the farm's (and home wiki's) scripts/ and cookbook/ directories. Be sure to use double quotes ("), not single (').

What about the pub/ directory? For example, what about pub/css/local.css.
See the note about $FarmPubDirUrl in the section below.
Does this subsection deserve its own recipe or maybe to be a move to PmWiki.WikiFarmsAdvanced? It's not really security-related.

Disabling the home wiki

If you aren't using a home wiki be sure to disable it. It's easy to do.

On some server platforms the webserver can write to the filesystem by default. In that environment, merely visiting the URL of pmwiki.php will cause the home wiki to be established. To assure that a home wiki cannot be created, place a config.php file with the following single line in your farm's local/ directory:

<?php header('HTTP/1.0 403 Forbidden'); exit;

Or, if you want to provide an error message, use these lines:

<?php
# Disable the home wiki for this farm.
header('HTTP/1.0 403 Forbidden');
exit('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>403 Forbidden</TITLE></HEAD>
<BODY><H1>403 Forbidden</H1>
<P>You don\'t have permission to access the requested file.
</BODY></HTML>');

Depending on your web server's configuration, you may also want to put the same script in the directory with pmwiki.php and name the other copy index.php so it will become the index file for the directory where PmWiki is installed.

Denying access with .htaccess

If your server supports it, you can create a .htaccess file in the farm's installation directory (where pmwiki.php resides) with this:

Order Deny, Allow
Deny from All

and create another .htaccess file in the farm's pub/ directory with this:

Allow from All

The first .htaccess file prevents public access to the farm installation, including pmwiki.php and the scripts/ and cookbook/ directories. The second .htaccess file allows browser access to the pub/ directory and its subdirectories like css/, guiedit/ and skins/.

Installing PmWiki outside the web document tree

Installing PmWiki outside the web space has the effect of denying web access to the software's files and also disables the home wiki. Only the pub/ directory (the directory that holds publicly-accessible files) needs to be reachable by a web browser.

Just be sure that $FarmPubDirUrl is configured to the URL that corresponds to the pub directory. For example, you might put this line in farmconfig.php to do that:

$FarmPubDirUrl = 'http://www.example.com/pub';

or maybe

$FarmPubDirUrl = 'http://www.example.com/pmwiki/pub';

Example

This is just PmWiki, unpacked into a directory with pub/ moved out and a farmconfig.php created in local/:

/usr/local/pmwiki/
   |-- pmwiki.php
   |-- wikilib.d/          (default pages)
   |-- cookbook/           (farm-wide cookbook)
   |-- docs/
   |-- scripts/
   `-- local/
       `-- farmconfig.php  (farm-wide configuration file)

Here are the farm's pub/ directory and some directories and files for a sample wiki. The sample wiki's directories and files would be created from scratch by the administrator and PmWiki. (Ideally PmWiki will have created wiki.d/ and uploads/.):

/var/www/                  (web document root)
|
|-- pub/                   (wikis' publicly-accessible files)
|
`-- wiki/
   |-- index.php           (wrapper script)
   |-- wiki.d/             (wiki's page storage)
   |-- local/              (wiki's local configuration)
   |   |-- config.php      (...for the entire wiki)
   |   |-- Group.php       (...for the Group wikigroup)
   |   `-- Group.Name.php  (...for the Group.Name page)
   |-- cookbook/           (wiki's recipes)
   |-- uploads/            (wiki's page attachments)
   `-- pub/                (wikis' publicly-accessible files)

Notes

This space is for notes, not questions, etc. If you have a home wiki (a wiki installed in the same directory as the PmWiki software), there's not a compelling reason to convert it to a wiki that is installed away from the PmWiki installation.

See Also

Contributors

Comments

See discussion at FarmSecurity-Talk

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.

Edit - History - Print - Recent Changes - Search
Page last modified on September 08, 2012, at 02:28 PM