[pmwiki-users] Protection of attachments!?!

Mikael Nilsson mini at nada.kth.se
Wed Nov 30 12:07:19 CST 2005

ons 2005-11-30 klockan 11:08 -0600 skrev Patrick R. Michaud:
> Several times in the past I've thought about doing "secure by default",
> but I'm not sure it's what would make PmWiki most accessible to new
> installers.

I thought as much. That's fine, by the way, if only the process of
locking down is clear. Which I don't find it is right now, but that can
be solved by documentation.

> From time-to-time we've also discussed having an "installation analysis"
> script that would review the current settings and environment and point
> out things that might be overlooked.

Can that really be done? Well, maybe. I think a simple checklist is
actually much more useful, as the admin gets to learn a few things at
the same time...

> > It's starting to get a but frustrating to try to hunt down possible
> > "holes". A friend of mine has had the same experience that you never
> > really know if there are gaping holes left... The default settings for
> > passwords is very confusing, as some pages and groups override the
> > site-wide settings, for no *obvious* reason.
> The default settings are as follows:
>    The default admin password is locked.
>    Main.GroupAttributes locks the attr password for pages in the Main group.
>    PmWiki.GroupAttributes locks the attr password for pages in the PmWiki group.
>    Site.GroupAttributes locks editing for pages in the Site group.
>    By popular demand, Site.SideBar is unlocked for editing.

Is this documented?

> > At the very least, it should be documented very clearly what steps are
> > needed to lock down an installation:
> > 
> > * Provide passwords etc. in config.php
> > * Check all GroupAttribute pages so that they do not 
> >   improperly override this (They do out of the box).
> Unfortunately there's not widespread agreement about what constitutes
> "improperly override".

Sorry, that only was referring to "improperly as viewed by the admin",
not worldwide :-).

> > * Check at least Site.SideBar
> > * Secure attachments.
> > * Maybe more that I have missed? Please add!
> Probably set $EnablePageListProtect if there are read-protected
> pages that shouldn't appear in page listings.

Ahh, yes.

> > Please tell me where in the wiki this information should be added and
> > I'll give it a try, unless you plan to fix it in another way.
> I think it probably belongs in a cookbook recipe for now, although
> we can potentially add it to the main documentation.

The latter was my suggestion.

Plus ça change, plus c'est la même chose

More information about the pmwiki-users mailing list