[dokuwiki] Re: making DokuWiki secure on a shared web host

  • From: Luke Howson <mail@xxxxxxxxxxxxxx>
  • To: dokuwiki@xxxxxxxxxxxxx
  • Date: Thu, 02 Aug 2007 19:19:15 +1000

Andreas Gohr wrote:
> Chuck Soper writes:
>
>> Is the "wiki:security" page up to date?
>
> Yes, however keep in mind that most things there are recommended
> precautions but not strictly neccessary.
>
>> What is the best way to ensure that my docuwiki is secure and protected?
>
> Set up an restrictive ACL and make sure file permissions are set to a
> bare minimal needed value. The latter might be difficult for you to do
> on a shared host, depending on how the Webserver/PHP was setup. See
> http://wiki.splitbrain.org/wiki:install:permissions for details.

Chuck wants his wiki protected from "other users at my web host from
viewing or modifying any part of the wiki". I don't have much experience
with secured shared web hosting, but on a plain vanilla linux, my
understanding is that you usually have php run in the process space of
apache (and hence shares the security context it is run with.) If you
just have a bunch of virtual hosts setup, they will all run under the
same context, so all PHP scripts can access precisely the same files.

I am ignorant of how shared web hosting works in practice, but what you
need to do is somehow tie different uids to different apache processes.
This *would* be done using the |perchild module, adding the AssignUserID
directive in the virtual host section, and the || ChildPerUserID in the
global section of the apache conf file. I say "would" because the
perchild mod does not work yet.

I understand that if you run apache in CGI mode, you can wrap it with a
setuid program.

However, for performance reasons, I don't know that many web hosting
companies would actually do this. I would check it out with them.
(Actually I would probably just write a PHP script to try reading
someone else's files :) ).

Ultimately you would have to trust anyone with the root password on the
shared web host.

|Regards,

Luke
-- 
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts: