[Mediawiki-l] Installation: security lockdown after HEAD installation
brion at pobox.com
Tue Apr 20 20:03:54 UTC 2004
On Apr 20, 2004, at 12:42, Derek A. Rogillio wrote:
> I downloaded the latest software from CVS into the phase3 directory.
> I tried to do a command-line install using install.php but this does
> not appear to be working. Reading the script, some of the necessary
> directories are not referenced or copied in install.php. I know the
> install.php installation is not working in the stable branches. Is
> this true with the HEAD branch as well?
The current command-line installer is being axed in favor of the
in-place install (which perhaps will be improved in the future to allow
a command-line execution as well as the browser-based install) We're
certainly _trying_ to make the in-place installation secure, though.
> I decided to try the in-place install. I copied the entire phase3
> directory to a place accessible by my web server and renamed it to
> something more appropriate (testwiki). I ran the in-place install and
> everything worked perfectly.
> One downside with this approach is that I now have a bunch of files
> accessible to my web server that I am sure don't need to be there.
> Since a lot of this is new, I'm not sure what I can remove now that
> the Wiki is running, nor do I know what might be a security risk. Has
> anyone done a writeup on cleaning up/securing an installation of the
> HEAD branch? I wasn't able to find anything via Google.
If you'd like to do some extra security testing in case we missed
something, you might try:
* set PHP's error_reporting level to E_ALL to include extra notices of
eg use of uninitialized variables
* Go through the installation hitting every *.php and *.phtml file from
a browser; see if any uninitialized variables are used (some could be
potential attack vectors with register_globals off)
In particular, make sure the scripts in the maintenance directory don't
execute from the web.
If you'd like to add extra precautions there are a number of things you
* remove install.php, update.php as they are not needed
* block off the config, includes, languages, maintenance, math,
extensions (if not using WikiHiero), and templates directories from the
web (ie, 'Deny from all' in .htaccess or global apache config).
* config and maintenance aren't needed on a _running_ installation, you
can prune them (or keep copies elsewhere).
* includes and languages don't have to be in the web area. You can move
their contents elsewhere and set the include_path appropriately in
* math isn't needed if not using TeX; extensions isn't needed if not
* Move the passwords in LocalSettings.php into a file outside of the
web-accessible space and include() that file. This would protect
against accidental exposure of database passwords in editor backup
* Make sure register_globals is off (off by default in PHP since
We could perhaps add .htaccess files with 'Deny from all' into some of
these directories for added protection, though they would not be active
on all installations (depends on apache settings).
> The other downside is that I expect HEAD to be updated quite often.
> Since install.php and upgrade.php expect files to be in different
> locations than the in-place install, how do you update the
> installation to the latest version from CVS?
I just do a 'cvs up'. (or 'cvs up -dP' if directories have been added
-- brion vibber (brion @ pobox.com)
More information about the MediaWiki-l