[Mediawiki-l] Installation: security lockdown after HEAD installation

Brion Vibber brion at pobox.com
Tue Apr 20 20:03:54 UTC 2004


On Apr 20, 2004, at 12:42, Derek A. Rogillio wrote:
> I downloaded the latest software from CVS into the phase3 directory.  
> I tried to do a command-line install using install.php but this does 
> not appear to be working.  Reading the script, some of the necessary 
> directories are not referenced or copied in install.php.  I know the 
> install.php installation is not working in the stable branches.  Is 
> this true with the HEAD branch as well?

The current command-line installer is being axed in favor of the 
in-place install (which perhaps will be improved in the future to allow 
a command-line execution as well as the browser-based install) We're 
certainly _trying_ to make the in-place installation secure, though.

> I decided to try the in-place install.  I copied the entire phase3 
> directory to a place accessible by my web server and renamed it to 
> something more appropriate (testwiki).  I ran the in-place install and 
> everything worked perfectly.

Yay!

> One downside with this approach is that I now have a bunch of files 
> accessible to my web server that I am sure don't need to be there. 
> Since a lot of this is new, I'm not sure what I can remove now that 
> the Wiki is running, nor do I know what might be a security risk.  Has 
> anyone done a writeup on cleaning up/securing an installation of the 
> HEAD branch?  I wasn't able to find anything via Google.

If you'd like to do some extra security testing in case we missed 
something, you might try:
* set PHP's error_reporting level to E_ALL to include extra notices of 
eg use of uninitialized variables
* Go through the installation hitting every *.php and *.phtml file from 
a browser; see if any uninitialized variables are used (some could be 
potential attack vectors with register_globals off)

In particular, make sure the scripts in the maintenance directory don't 
execute from the web.

If you'd like to add extra precautions there are a number of things you 
could do:
* remove install.php, update.php as they are not needed
* block off the config, includes, languages, maintenance, math, 
extensions (if not using WikiHiero), and templates directories from the 
web (ie, 'Deny from all' in .htaccess or global apache config).
* config and maintenance aren't needed on a _running_ installation, you 
can prune them (or keep copies elsewhere).
* includes and languages don't have to be in the web area. You can move 
their contents elsewhere and set the include_path appropriately in 
LocalSettings.php.
* math isn't needed if not using TeX; extensions isn't needed if not 
using WikiHiero
* Move the passwords in LocalSettings.php into a file outside of the 
web-accessible space and include() that file. This would protect 
against accidental exposure of database passwords in editor backup 
files etc.
* Make sure register_globals is off (off by default in PHP since 
4.2.something)

We could perhaps add .htaccess files with 'Deny from all' into some of 
these directories for added protection, though they would not be active 
on all installations (depends on apache settings).

> The other downside is that I expect HEAD to be updated quite often. 
> Since install.php and upgrade.php expect files to be in different 
> locations than the in-place install, how do you update the 
> installation to the latest version from CVS?

I just do a 'cvs up'. (or 'cvs up -dP' if directories have been added 
or pruned.)

-- brion vibber (brion @ pobox.com)




More information about the MediaWiki-l mailing list