|
Cookbook /
FarmSecurity-OldVersionQuestionAre there special security measures needed for a farm installation of pmwiki? AnswerIf the farm installation of pmwiki has no pages, i.e. no wiki.d/ directory, and only the fields have wiki.d/ directories, then pmwiki.php could be run by anyone who knows or guesses the location of it and types it into a browser address bar. This can have the consequence of another field being inadvertantly created (in the farm's installation directory) and used by a third party. To prevent this the best solution is to move the whole farm installation out of the public server space (out of the html/ or public_html/ directory tree) into a protected space which is not accessible to browsers, and then create a symlink or webserver alias so that /farmpub points to the farm's pub/ directory. You must create a symlink in each field. Here is one example: suppose you have installed pmwiki to /wikifarm which is not in WWW available path, and you want to have to fields, english (en) and french (fr). You must create two symlinks, one for each field. The following two ln commands will create the two necessary /farmpub symlinks in the two field folders: ln -sv /usr/www/virtual/username/wikifarm/pub /usr/www/virtual/username/en.yourwebsite.ca/farmpub ln -sv /usr/www/virtual/username/wikifarm/pub /usr/www/virtual/username/fr.yourwebsite.ca/farmpub (Remember, this is an example only; substitute paths for your environment as appropriate.) After you have created the symlink(s), then set in farmconfig.php. WARNING If your Apache installation enables "follow symlinks" and "directory listing allowed" by default, then the above could result in en.yourwebsite.ca/farmpub as listing the contents of the /wikifarm/pub directory. (Of course, the web visitor would have to know or guess that /farmpub is the name of the symlink you used.) You might want to reduce unwelcome snooping by either: (A) create an empty file called index.html and place it in /wikifarm/pub; and/or (B) restrict access with .htaccess file containing: Options -Indexes (note the minus sign before Indexes!). If the above is is not possible and the server is running Apache and .htacess can be used try this: Order Deny, Allow
Deny from All
and create another .htaccess file in the farm's pub/ directory with this: Allow from All The first .htaccess file prevents public access to the farm installation, including pmwiki.php and the scripts/ and cookbook/ directories. The second .htaccess file allows browser access to the pub/ directory and its subdirectories like css/, guiedit/ and skins/. Notes and Comments
Am I correct in understanding that the above is not necessary if you are actually (intentionally!) running a field from the farm directory? I am using the farm install location (i.e. it now has a wiki.d directory) so am I correct that as far as users & field admins are concerned, this is just another field? Is there any benefit to moving my farm Dir as shown above, and converting the current farm+field location to a "just another field"??? -- Peter M.
First question: yes. Second question: yes. You can have config.php and farmconfig.php files in the farm's local directory. farmconfig.php is processed first and affects all fields, config.php affects only the field. Third question: For me the benefit lies in a clearer structure, having it nicely seperated. Another benefit may be to have the pmwiki installation in a public non-accessible server space for added security, but I don't think this is essential. Otherwise it does not matter I think and you may well keep your setup as it is. ~HansB
Shouldn't this: really be
Thanks! --joe This recipe does not work if you have
in the config.php. (GC) Any suggestion? See Also
ContributorsCategories:
|