Tags:
create new tag
view all tags

Question

I followed the instructions in setting up a twiki. The way the distribution zip is created there is a twiki directory with everything in it. The index.html page is in this top level directory and there are subdirectories for bin, data, lib, pub and templates. Following the instructions for setup of apache my httpd.conf file includes a line

Alias /twiki/ "/home/httpd/twiki/"
. In fact, here's my apache's relevant section.
    ScriptAlias /twiki/bin/ "/home/httpd/twiki/bin/"
    Alias /twiki/ "/home/httpd/twiki/"
    <Directory "/home/httpd/twiki/bin">
       Options +ExecCGI
       SetHandler cgi-script
       AllowOverride all
       Allow from all
    </Directory>
    <Directory "/home/httpd/twiki/pub">
       Options FollowSymLinks +Includes
       AllowOverride None
       Allow from all
    </Directory>
    <Directory "/home/httpd/twiki/data">
       Deny from all
    </Directory>
    <Directory "/home/httpd/twiki/templates">
       deny from all
    </Directory>

Is the alias of /twiki/ to /home/httpd/twiki/ a huge security problem? Is there a section missing for deny from all for "/home/httpd/twiki/lib"?

  • TWiki version: Cairo
  • Perl version:
  • Web server & version: Apache
  • Server OS: Linux
  • Web browser & version:
  • Client OS:

-- GrantBow - 20 May 2003

Answer

That looks like an issue. Best to enable only the twiki/bin as a cgi-bin and the twiki/pub as a htdoc directory. All other dirs should not be accessible by browser. The Apache related docs are somewhat outdated and need to be fixed.

-- PeterThoeny - 27 May 2003

I was complainig a lot recently, so I'll like to explain my gratitude here to both of you guys - to GrantBow for thinking out loud, and to PeterThoeny for fixing it so even newbie admins like me could have secure installation, even if do not understand what is the problem and what is the solution wink

Thank you guys!

-- PeterMasiar - 27 May 2003

Well I added the deny from all for twiki/lib but it still didn't work to protect TWiki.cfg from being downloaded as a file. (That's a problem IMHO, PeterMasiar.) My experiences trying to change the way that Apache and TWiki depend on each other have not been easy in the past. I'll adjust the TWiki.cfg as best I can. I'll try what you suggest and report the result here. When I know exactly what changes are needed I will mark this question as fully answered.

-- GrantBow - 27 May 2003

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2004-05-05 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.