Tags:
create new tag
, view all tags

In Using Unix Groups For TWiki Security I describe, well, Using Unix Groups For TWiki Security.

Multiple Separate TWiki Installations For Security describes what I think is the most secure configuration, although it can be a pain to administer changes to "shared" webs and templates.

This page describes Multiple Separate TWiki Installations For Security.

Basically, I set up multiple access paths (cgi directories of setgid scripts), but point them all to the same set of twiki files.

Each access path must be given a different setlib.cfg and TWiki.cfg; that is pretty easy to do.

The twiki/data/web directories should have ownerships and permissions set appropriately. OBSERVATIONS: if a web is not readable by the currently running set of TWiki scripts, it appears in the WEBLIST with its name, but everything else blacked out. Attempts to enter it will seem to go to a nonexisting page that you can then try to create (apparently TWiki does not disdtinguish EPERM from EEXIST), but you will not be allowed to commit to the file (of course).

You may want to create still another group to own the generic twiki stuf, like the Main and TWiki webs.

Annoyingly, you also need to track the twiki/pub/web directories for attachments. This is annoying because they get created behind your back; best is to create them upfront, and force the appropriate ownerships and permissions. It's also annoying, because there are now two directories that need to have the same permissions.

The shared twiki/bin and twiki/lib files should be owned by a group, ideally a group different from that in which any of the setgid access paths will run, and set readable or executable as necessary This group should also own the directory framework leading up to the twiki/data and twiki/pub files; basically, everything except the actual content should get owned by someone the webserver will never run as.

Given all this, you are reasonably secure.

The biggest problem is administrative - it is easier to keep permissions homogenous, than to have to carefully wach the permissions for each directory.


I've had a Problem with Overprivileged Webserver, but that is just broken sysadmin (and a deficiency in UNIX).

-- AndyGlew - 15 Apr 2003

Andy - can you package up these recommendations somehow? Maybe some specific instructions rather than general recommendations would be a good start.

I think the community would be especially grateful if this could make the forthcoming Dakar - I certainly would!

-- MartinCleaver - 06 Dec 2004

I would be happy to - but, unfortunately, I have left the employer at which I set this TWiki system up, and I no longer have access to the source code.

What I describe using setgid scripts would not have helped the twiki backtick bugs that are causing so much grief recently. Well, actually they would have... but only if the userids and groups that you had setuid and setgid'ed to were suitably deprivileged. Which I always try to do... but, frankly, the only cast-iron way to accomplish this that I am aware of is to execute twiki in a chroot box, populated with only the minimal command set necessary. And, I fear, the minimal command set necessary to run twiki is pretty large, possibly too large to be secured.

By the way, since I left AMD, I am no longer actively reading www.twiki.org. I'd like to help, but if you want to contact me, and you want me to respond when contacted, you must email me, not just post on a twiki page and hope that I notice. mailto:twiki.NOSPAM@patten-glewPLEASENOSPAM.NOSPAM.net.NOSPAM

It is possible the twiki notify has been improved in the almost two years since I last participated fully in the twiki.org community. If it has, then I'll set it up to notify me more quickly. But I certainly have not yet.

-- AndyGlew - 27 Dec 2004

Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r5 - 2004-12-27 - AndyGlew
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.