closed: moving to TWiki docs
Question
.There's a slight problem with the TWikiInstallationGuide, and the default file permissions. If one's web server is usingsuEXEC or CGI-Wrap, cgi's will execute as the user who owns the web directory. If, further, that server runs the old-fashioned way and all users are in group user, then the group-write permissions sprinkled liberally throughout the installation represent a potentially very serious security problem. I simply did a chmod -R g-w on the appropriate directories, but I've been a sysadmin working with Apache for many years & know to be paranoid about this stuff. A newbie installing the (relatively easy) software is fairly likely to be unaware of this issue.
I admit it's a bit obscure, but it might be worth a mention in the docs or even a warning from 'testenv'.
- TWiki version: 20011201
- Web server: Stronghold/2.3 Apache/1.2.6 C2NetUS/2010
- Server OS: SunOS 5.7 (probably)
- Web browser: Mozilla 5.0
- Client OS: Debian GNU/Linux 2.2r2
Answer
Good point - see also SecureSetup for some thoughts on this. CobaltRaqInstall has pointers to issues with cgiwrap and a patch to fix path_info problems when doing aliases + cgiwrap on Apache. I'd be interested in comments on WindowsInstallCookbook as well, from an Apache security standpoint. -- RichardDonkin - 13 Mar 2002 Moved this into Codev as a DocRequest. -- RichardDonkin - 31 Mar 2002
Topic revision: r4 - 2002-05-05 - MikeMannix
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.