Tags:
create new tag
, view all tags
This topic offers a work-around for TWikiOnWebHostingSites where lack of root user rights makes dealing with files owned by nobody difficult. Please note that this work-around involves a cgi script that can present significant security issues.

In my effort to install TWiki on a hosted domain (see my report of experience at TWikiOnWebHostingSites#Aletia) I kept running up against the problem of dealing with files and directories having ownership nobody. Without root access, I had to resort to repeatedly asking support to execure a chown command for me.

I have found a partial work-around for this situation using a cgi script called "Shell.pl" which you can get at http://www.verysimple.com/scripts/webtoolz.html (it's included in a package of several free utility scripts). This script executes shell commands as user nobody which has enabled me to make changes to files and directories owned by nobody.

WARNING: This script presents significant security issues which are addressed in the documentation. Personally, I have found it easiest simply to upload when I need it and then delete it when I'm through making whatever changes I needed.

-- LynnwoodBrown - 03 May 2002

I know you put in a security warning above, but it's worse than you may have thought!

This script is very insecure and should not be used at all - it doesn't even require a password, so your server is completely open to attack while the script is uploaded. If you forget to delete it, or your local Internet connection goes down for some hours before you can delete it, your web hosting server remains wide open (including any other accounts that have files owned by 'nobody').

There are scripts that scan for open servers all the time (which is why an unpatched Linux server can be hacked in only a few hours after being connected to the Net), so this could even happen while you are using the script, if someone writes an exploit script.

Please use CGI-Telnet instead, which is attached to TWikiDebugging - this requires a password at all times, which guards against this hole.

  • I have installed CGI-Telnet and I might add that not only is it more secure, it's generally a better-implemented program with more features than the Shell.pl script I mentioned earlier. Keep in mind, as noted in TWikiDebugging, it still represents a potential security risk, although less then Shell. --LB

The best solution is to have your webhost implement SecureSetup, i.e. using suexec or cgiwrap - this lets your scripts run under your userid, avoiding this problem completely. Dreamhost have a good setup that is very easy to install TWiki under, unlike CobaltRaqInstall - see TWikiOnWebHostingSites#Dreamhost.

-- RichardDonkin - 04 May 2002

Thanks Richard for the warning and further suggestions. My prelimary perview of SecureSetup raises a whole host of questions regarding making the transition smoothly without risking totally crippling my TWiki site. In the interest of not burdening TWiki's support web with yet another server-admin related question, I've created a topic in my own TWiki site to list my questions and whatever answers I come up with. Those interested and willing to make suggestions can see it here. Since this is a topic of general interest to folks with hosted TWiki site, after I've made the modifications to my installation, I'll post a step-by-step description of what I did (as part of either SecureSetup or HostedTWikiRCSInstall). In the mean time, I'll take your suggestion of using CGI-Telnet rather than the Shell scrip I recommended before. Thanks again!

-- LynnwoodBrown - 04 May 2002

I had a look at your page, and I think the contents are quite OK to discuss here - you are pushing beyond a standard TWiki installation in going for SecureSetup, so this is not just a 'basic server admin' issue of the sort I was ranting about at AdminSkillsAssumptions smile

So, here are your questions from that page, with some comments:

  • Where shall I have the TWiki-related scripts? Aletia's documentation regarding cgi-wrap indicates that it is installed only for the main cgi-bin folder. My TWiki scripts are installed in the twiki sub-domain bin folder. So do I need to transfer my TWiki scripts over the the main folder (and what will that do to TWiki) or can I have them activate cgi-wrap for my current twiki/bin folder?
    • This is specific to your setup at Aletia - the best option is to have them enable cgiwrap for your 'twiki.skyloom.com' subdomain. -- RD
  • Does it matter where my TWiki data directories are? Currently I have them outside of my html directory, as suggested for security reasons. Are they OK there when I use cgi-wrap or should I move them back under the twiki directory within the html directory (which would be more like a "normal" twiki installation).
    • Not particularly - this is not affected by use of cgiwrap, though putting them outside the HTML tree is a good idea of course. --RD
  • Am I going to have to install some patches in TWiki as described in TWiki:Support/CobaltRaqInstall ?
    • Probably, but not necessarily - depends on exact setup of cgiwrap and use of Apache aliases. If you do, you might want to download the latest TWikiBetaRelease, as this includes that patch. Download the latest testenv from CVSget:bin/testenv, and do the PATH_INFO test mentioned within the page it generates - if this fails, you need the patched TWiki code. --RD

Hope this helps!

-- RichardDonkin - 05 May 2002

Related topics: HostedSiteInstallationGuide, TWikiOnWebHostingSites, SecureSetup, TWikiDebugging

Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r7 - 2002-08-11 - RichardDonkin
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.