Tags:
archive_me1Add my vote for this tag create new tag
, view all tags

closed: moving to TWiki docs

Question

.There's a slight problem with the TWikiInstallationGuide, and the default file permissions.

If one's web server is using suEXEC or CGI-Wrap, cgi's will execute as the user who owns the web directory. If, further, that server runs the old-fashioned way and all users are in group user, then the group-write permissions sprinkled liberally throughout the installation represent a potentially very serious security problem. I simply did a chmod -R g-w on the appropriate directories, but I've been a sysadmin working with Apache for many years & know to be paranoid about this stuff. A newbie installing the (relatively easy) software is fairly likely to be unaware of this issue.

I admit it's a bit obscure, but it might be worth a mention in the docs or even a warning from 'testenv'.

  • TWiki version: 20011201
  • Web server: Stronghold/2.3 Apache/1.2.6 C2NetUS/2010
  • Server OS: SunOS 5.7 (probably)
  • Web browser: Mozilla 5.0
  • Client OS: Debian GNU/Linux 2.2r2

-- JbBell - 12 Mar 2002

Answer

Good point - see also SecureSetup for some thoughts on this. CobaltRaqInstall has pointers to issues with cgiwrap and a patch to fix path_info problems when doing aliases + cgiwrap on Apache.

I'd be interested in comments on WindowsInstallCookbook as well, from an Apache security standpoint.

-- RichardDonkin - 13 Mar 2002

Moved this into Codev as a DocRequest.

-- RichardDonkin - 31 Mar 2002

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2002-05-05 - MikeMannix
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.