Yeah, that's already happened a few times (typo taking the site down). What
I did on another wiki farm was have one wiki in charge of the other wiki's
config files, so that if you messed up LocalSettings.php, it wouldn't take
down the wiki that was modifying it.
My goal was to have some sort of version control system in place so that as
different people are changing the files, we know who did what when, and can
revert easily to a previous version.
On Sat, Jul 1, 2017 at 7:04 PM, Brian Wolff <bawolff(a)gmail.com> wrote:
Even ignoring the security issues, if one of your
users makes a typo, they
take down the site and they cannot revert because the site is then down.
From a security prespective, this is equivalent to giving your users shell
access to your server. They can run any arbitrary program, do anything,
insert backdoors, etc. Additionally this setup requires the web user to
have write access to php enabled web directories which is also bad
practise.
--
bawolff
On Saturday, July 1, 2017, Legoktm <legoktm.wikipedia(a)gmail.com> wrote:
On 07/01/2017 03:16 PM, Jean Valjean wrote:
> I want to let some of my administrators (in the wizards group) edit
> LocalSettings.php, so I used this snippet, which allows them to make
> changes by editing the Project:Shared_config.php page. Then I protected
the
page so
that only wizards can edit it. Do you think this presents any
security issues?
Yes, it presents a huge security issue. Anyone who can modify your
LocalSettings.php can execute arbitrary PHP code. They could see any
private data in your database, easily get passwords, or even potentially
give themselves server access.
I would highly recommend NOT doing this.
-- Legoktm
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l