FarmSecurity-OldVersion
Question
Are there special security measures needed for a farm installation of pmwiki?
Answer
If the farm installation of pmwiki has no pages, i.e. no wiki.d/ directory, and only the fields have wiki.d/ directories, then pmwiki.php could be run by anyone who knows or guesses the location of it and types it into a browser address bar. This can have the consequence of another field being inadvertantly created (in the farm's installation directory) and used by a third party.
To prevent this the best solution is to move the whole farm installation out of the public server space (out of the html/ or public_html/ directory tree) into a protected space which is not accessible to browsers, and then create a symlink or webserver alias so that /farmpub points to the farm's pub/ directory. You must create a symlink in each field.
Here is one example: suppose you have installed pmwiki to /wikifarm which is not in WWW available path, and you want to have to fields, english (en) and french (fr). You must create two symlinks, one for each field. The following two ln commands will create the two necessary /farmpub symlinks in the two field folders:
ln -sv /usr/www/virtual/username/wikifarm/pub /usr/www/virtual/username/en.yourwebsite.ca/farmpub ln -sv /usr/www/virtual/username/wikifarm/pub /usr/www/virtual/username/fr.yourwebsite.ca/farmpub
(Remember, this is an example only; substitute paths for your environment as appropriate.)
After you have created the symlink(s), then set
$FarmPubDirUrl = '/farmpub';
in farmconfig.php.
WARNING If your Apache installation enables "follow symlinks" and "directory listing allowed" by default, then the above could result in en.yourwebsite.ca/farmpub as listing the contents of the /wikifarm/pub directory. (Of course, the web visitor would have to know or guess that /farmpub is the name of the symlink you used.) You might want to reduce unwelcome snooping by either: (A) create an empty file called index.html and place it in /wikifarm/pub; and/or (B) restrict access with .htaccess file containing: Options -Indexes (note the minus sign before Indexes!).
If the above is is not possible and the server is running Apache and .htacess can be used try this:
Create a .htacess file in the farm's installation directory (where pmwiki.php resides) with this:
Order Deny, Allow
Deny from All
and create another .htaccess file in the farm's pub/ directory with this:
Allow from All
The first .htaccess file prevents public access to the farm installation, including pmwiki.php and the scripts/ and cookbook/ directories. The second .htaccess file allows browser access to the pub/ directory and its subdirectories like css/, guiedit/ and skins/.
Notes and Comments
- This recipe was last tested on PmWiki version:
- This recipe requires at least PmWiki version: and (any other recipes)
Shouldn't this:
$FarmPubDirUrl = '/farmpub';
really be
$FarmPubDirUrl = 'farmpub/';
- I prefer this:
$FarmPubDirUrl= './farmpub';
Thanks! --joe
This recipe does not work if you have
$EnablePathInfo= 1;
in the config.php. (GC)
Any suggestion?
See Also
- Cookbook.WebServerSecurity for more information about .htaccess files.
- PmWiki.Security for other pages about security.