[Pmwiki-users] Re: Re: Re: setup script, sample-local.php, local/, and a slippery slope

Christian Ridderström chr
Fri Feb 13 03:41:48 CST 2004


On Thu, 12 Feb 2004, Patrick R. Michaud wrote:

> On Thu, Feb 12, 2004 at 10:58:23PM +0100, Christian Ridderstr?m wrote:
> > 
> > I think maybe a var/ as John wrote isn't such a bad idea, especially if 
> > there currently are more non-page files in wiki.d (then they could be 
> > moved to var/).
> 
> Speaking as a sysadmin, I'd prefer there to be fewer *directories*
> writable by apache.  If a file is writable by apache, the impact can
> be fairly limited.  If a directory is writable by apache, it becomes
> possible to create all sorts of nasty things (symlinks, change file
> permissions by unlinking+creating a new file of the same name, trojan
> horses, etc.).

Since wiki.d/ already is writable by apache, this can't be that big of a 
deal, can it?

Btw, the function realpath() might be useful in this context -- it could 
be used to check that the file pmwiki.php writes to is located where it's 
supposed to be. Maybe something like this (just the check):

	dirname(realpath("pmwiki.php")."/var")
	==
	dirname(realpath($fileInVarDirectory))

If I understand things correctly, this test will fail if either var/ is a 
link or the file $fileInVarDirectory is a link.
	
> Another possibility is to simply create sample-local.php in the base
> pmwiki directory, since the base directory has to be writable long
> enough to create wiki.d at setup time anyway.

That's not a bad idea.

> The user can then copy/move/delete the file as appropriate.  Of course
> sample-local.php would contain instructions about what to do with the
> file anyway.  :-)

And/or the file README.

> 
> > What are these other files in wiki.d/? 
> 
> .flock is the file used to prevent conflicting reads/writes, and 
> .mailposts keeps a log of changes for the mailposts script.  Those are
> the only two I can think of at the moment.  

Why do you hide the files? Wouldn't these be useful for an administrator 
to be able to find?  (not that they're easy to find among all the hundreds 
of different wiki-pages of course).

/Christian

-- 
Christian Ridderstr?m                           http://www.md.kth.se/~chr





More information about the pmwiki-users mailing list