[pmwiki-users] Protection of attachments!?!
mini at nada.kth.se
Wed Nov 30 12:07:19 CST 2005
ons 2005-11-30 klockan 11:08 -0600 skrev Patrick R. Michaud:
> Several times in the past I've thought about doing "secure by default",
> but I'm not sure it's what would make PmWiki most accessible to new
I thought as much. That's fine, by the way, if only the process of
locking down is clear. Which I don't find it is right now, but that can
be solved by documentation.
> From time-to-time we've also discussed having an "installation analysis"
> script that would review the current settings and environment and point
> out things that might be overlooked.
Can that really be done? Well, maybe. I think a simple checklist is
actually much more useful, as the admin gets to learn a few things at
the same time...
> > It's starting to get a but frustrating to try to hunt down possible
> > "holes". A friend of mine has had the same experience that you never
> > really know if there are gaping holes left... The default settings for
> > passwords is very confusing, as some pages and groups override the
> > site-wide settings, for no *obvious* reason.
> The default settings are as follows:
> The default admin password is locked.
> Main.GroupAttributes locks the attr password for pages in the Main group.
> PmWiki.GroupAttributes locks the attr password for pages in the PmWiki group.
> Site.GroupAttributes locks editing for pages in the Site group.
> By popular demand, Site.SideBar is unlocked for editing.
Is this documented?
> > At the very least, it should be documented very clearly what steps are
> > needed to lock down an installation:
> > * Provide passwords etc. in config.php
> > * Check all GroupAttribute pages so that they do not
> > improperly override this (They do out of the box).
> Unfortunately there's not widespread agreement about what constitutes
> "improperly override".
Sorry, that only was referring to "improperly as viewed by the admin",
not worldwide :-).
> > * Check at least Site.SideBar
> > * Secure attachments.
> > * Maybe more that I have missed? Please add!
> Probably set $EnablePageListProtect if there are read-protected
> pages that shouldn't appear in page listings.
> > Please tell me where in the wiki this information should be added and
> > I'll give it a try, unless you plan to fix it in another way.
> I think it probably belongs in a cookbook recipe for now, although
> we can potentially add it to the main documentation.
The latter was my suggestion.
Plus ça change, plus c'est la même chose
More information about the pmwiki-users