Wiki is mildly misconfigured...
9 views
Skip to first unread message
Jeffrey Walton
Jun 19, 2016, 10:16:54 PM6/19/16
to Crypto++ Users
Hi Everyone,
I wanted to provide a quick heads up... recently we hardened the web server. We did things like ensuring root owned things, user 'apache' had u+r files, while providing u+rw in a few places as required, like runtime temp directory for session information. Apache seems well configured now, and mostly follows best practices.
The hardening partially broke the wiki. For example, the wiki cannot generate thumbnails at the moment. You can see its effects by visiting the homepage. I'm having trouble clearing the issues because I cannot find a guide on Mediawiki's security best practices, and or even a list of which directories need u+rw. (I'd prefer MediaWiki run under a different security context than Apache, but that does not appear to be a viable option).
I've got a couple of questions open on the Stack Exchange network:
* http://webmasters.stackexchange.com/questions/93864/best-practice-for-temp-directory-used-by-mediawiki
* http://webmasters.stackexchange.com/questions/93758/file-system-permission-for-mediawiki-uploads
* http://webapps.stackexchange.com/q/94930/72479
if you have experience with Administering MediaWiki, then please provide some suggestions.
Jeff
I wanted to provide a quick heads up... recently we hardened the web server. We did things like ensuring root owned things, user 'apache' had u+r files, while providing u+rw in a few places as required, like runtime temp directory for session information. Apache seems well configured now, and mostly follows best practices.
The hardening partially broke the wiki. For example, the wiki cannot generate thumbnails at the moment. You can see its effects by visiting the homepage. I'm having trouble clearing the issues because I cannot find a guide on Mediawiki's security best practices, and or even a list of which directories need u+rw. (I'd prefer MediaWiki run under a different security context than Apache, but that does not appear to be a viable option).
I've got a couple of questions open on the Stack Exchange network:
* http://webmasters.stackexchange.com/questions/93864/best-practice-for-temp-directory-used-by-mediawiki
* http://webmasters.stackexchange.com/questions/93758/file-system-permission-for-mediawiki-uploads
* http://webapps.stackexchange.com/q/94930/72479
if you have experience with Administering MediaWiki, then please provide some suggestions.
Jeff
Jeffrey Walton
Jun 19, 2016, 10:48:16 PM6/19/16
to Crypto++ Users
Whoops, most of the references above to file permissions should be group: g+r, g+rw, etc. The files are owned by root, and apache gets access through the group.
Jeff
Reply all
Reply to author
Forward
0 new messages