closed: moving to TWiki docs

Question

.There's a slight problem with the TWikiInstallationGuide, and the default file permissions.

If one's web server is using suEXEC or CGI-Wrap, cgi's will execute as the user who owns the web directory. If, further, that server runs the old-fashioned way and all users are in group user, then the group-write permissions sprinkled liberally throughout the installation represent a potentially very serious security problem. I simply did a chmod -R g-w on the appropriate directories, but I've been a sysadmin working with Apache for many years & know to be paranoid about this stuff. A newbie installing the (relatively easy) software is fairly likely to be unaware of this issue.

I admit it's a bit obscure, but it might be worth a mention in the docs or even a warning from 'testenv'.

• TWiki version: 20011201
• Web server: Stronghold/2.3 Apache/1.2.6 C2NetUS /2010
• Server OS: SunOS 5.7 (probably)
• Web browser: Mozilla 5.0
• Client OS: Debian GNU/Linux 2.2r2

-- JbBell - 12 Mar 2002

Answer

Good point - see also SecureSetup for some thoughts on this. CobaltRaqInstall has pointers to issues with cgiwrap and a patch to fix path_info problems when doing aliases + cgiwrap on Apache.

I'd be interested in comments on WindowsInstallCookbook as well, from an Apache security standpoint.

-- RichardDonkin - 13 Mar 2002

Moved this into Codev as a DocRequest.

-- RichardDonkin - 31 Mar 2002