FarmSecurity-OldVersion

Question

Are there special security measures needed for a farm installation of pmwiki?

Answer

If the farm installation of pmwiki has no pages, i.e. no wiki.d/ directory, and only the fields have wiki.d/ directories, then pmwiki.php could be run by anyone who knows or guesses the location of it and types it into a browser address bar. This can have the consequence of another field being inadvertantly created (in the farm's installation directory) and used by a third party.

To prevent this the best solution is to move the whole farm installation out of the public server space (out of the html/ or public_html/ directory tree) into a protected space which is not accessible to browsers, and then create a symlink or webserver alias so that /farmpub points to the farm's pub/ directory. You must create a symlink in each field.

Here is one example: suppose you have installed pmwiki to /wikifarm which is not in WWW available path, and you want to have to fields, english (en) and french (fr). You must create two symlinks, one for each field. The following two ln commands will create the two necessary /farmpub symlinks in the two field folders:

   ln -sv /usr/www/virtual/username/wikifarm/pub /usr/www/virtual/username/en.yourwebsite.ca/farmpub

   ln -sv /usr/www/virtual/username/wikifarm/pub /usr/www/virtual/username/fr.yourwebsite.ca/farmpub

(Remember, this is an example only; substitute paths for your environment as appropriate.)

After you have created the symlink(s), then set

   $FarmPubDirUrl = '/farmpub'; 

in farmconfig.php.

WARNING If your Apache installation enables "follow symlinks" and "directory listing allowed" by default, then the above could result in en.yourwebsite.ca/farmpub as listing the contents of the /wikifarm/pub directory. (Of course, the web visitor would have to know or guess that /farmpub is the name of the symlink you used.) You might want to reduce unwelcome snooping by either: (A) create an empty file called index.html and place it in /wikifarm/pub; and/or (B) restrict access with .htaccess file containing: Options -Indexes (note the minus sign before Indexes!).

If the above is is not possible and the server is running Apache and .htacess can be used try this:
Create a .htacess file in the farm's installation directory (where pmwiki.php resides) with this:

     Order Deny, Allow
     Deny from All

and create another .htaccess file in the farm's pub/ directory with this:

    Allow from All

The first .htaccess file prevents public access to the farm installation, including pmwiki.php and the scripts/ and cookbook/ directories. The second .htaccess file allows browser access to the pub/ directory and its subdirectories like css/, guiedit/ and skins/.

Notes and Comments

  • This recipe was last tested on PmWiki version:
  • This recipe requires at least PmWiki version: and (any other recipes)
Am I correct in understanding that the above is not necessary if you are actually (intentionally!) running a field from the farm directory? I am using the farm install location (i.e. it now has a wiki.d directory) so am I correct that as far as users & field admins are concerned, this is just another field? Is there any benefit to moving my farm Dir as shown above, and converting the current farm+field location to a "just another field"??? -- Peter M.
First question: yes. Second question: yes. You can have config.php and farmconfig.php files in the farm's local directory. farmconfig.php is processed first and affects all fields, config.php affects only the field. Third question: For me the benefit lies in a clearer structure, having it nicely seperated. Another benefit may be to have the pmwiki installation in a public non-accessible server space for added security, but I don't think this is essential. Otherwise it does not matter I think and you may well keep your setup as it is. ~HansB

Shouldn't this:

   $FarmPubDirUrl = '/farmpub'; 

really be

   $FarmPubDirUrl = 'farmpub/'; 
I prefer this: $FarmPubDirUrl = './farmpub'; (G. Calderon)

Thanks! --joe


This recipe does not work if you have

in the config.php. (GC)

Any suggestion?


See Also

Contributors

HansB


Categories: