On Apr 20, 2004, at 12:42, Derek A. Rogillio wrote:
I downloaded the latest software from CVS into the
phase3 directory.
I tried to do a command-line install using install.php but this does
not appear to be working. Reading the script, some of the necessary
directories are not referenced or copied in install.php. I know the
install.php installation is not working in the stable branches. Is
this true with the HEAD branch as well?
The current command-line installer is being axed in favor of the
in-place install (which perhaps will be improved in the future to allow
a command-line execution as well as the browser-based install) We're
certainly _trying_ to make the in-place installation secure, though.
I decided to try the in-place install. I copied the
entire phase3
directory to a place accessible by my web server and renamed it to
something more appropriate (testwiki). I ran the in-place install and
everything worked perfectly.
Yay!
One downside with this approach is that I now have a
bunch of files
accessible to my web server that I am sure don't need to be there.
Since a lot of this is new, I'm not sure what I can remove now that
the Wiki is running, nor do I know what might be a security risk. Has
anyone done a writeup on cleaning up/securing an installation of the
HEAD branch? I wasn't able to find anything via Google.
If you'd like to do some extra security testing in case we missed
something, you might try:
* set PHP's error_reporting level to E_ALL to include extra notices of
eg use of uninitialized variables
* Go through the installation hitting every *.php and *.phtml file from
a browser; see if any uninitialized variables are used (some could be
potential attack vectors with register_globals off)
In particular, make sure the scripts in the maintenance directory don't
execute from the web.
If you'd like to add extra precautions there are a number of things you
could do:
* remove install.php, update.php as they are not needed
* block off the config, includes, languages, maintenance, math,
extensions (if not using WikiHiero), and templates directories from the
web (ie, 'Deny from all' in .htaccess or global apache config).
* config and maintenance aren't needed on a _running_ installation, you
can prune them (or keep copies elsewhere).
* includes and languages don't have to be in the web area. You can move
their contents elsewhere and set the include_path appropriately in
LocalSettings.php.
* math isn't needed if not using TeX; extensions isn't needed if not
using WikiHiero
* Move the passwords in LocalSettings.php into a file outside of the
web-accessible space and include() that file. This would protect
against accidental exposure of database passwords in editor backup
files etc.
* Make sure register_globals is off (off by default in PHP since
4.2.something)
We could perhaps add .htaccess files with 'Deny from all' into some of
these directories for added protection, though they would not be active
on all installations (depends on apache settings).
The other downside is that I expect HEAD to be updated
quite often.
Since install.php and upgrade.php expect files to be in different
locations than the in-place install, how do you update the
installation to the latest version from CVS?
I just do a 'cvs up'. (or 'cvs up -dP' if directories have been added
or pruned.)
-- brion vibber (brion @
pobox.com)