[pmwiki-users] secure farms (getting lost in compromises)

Patrick R. Michaud pmichaud at pobox.com
Sun Dec 17 03:30:42 CST 2006


On Sun, Dec 17, 2006 at 03:31:15AM +0000, Lucian Wischik wrote:
> J. Meijer <commentgg <at> hotmail.com> writes:
> > Hi, I suppose this is a subject many have problems with.
> > For those who don't want to open up their wiki.d to the
> > public, the question is how to install?
> 
> (sorry, I haven't read any previous discussion on this subject, so my
> answer may already have been covered...)
> 
> How about just putting a .htaccess file in the wiki.d directory,
> one that disallows web access to it?

PmWiki already puts a .htaccess file in the wiki.d/ directory
to disallow web access.  But some sites may not be running
Apache, and some Apache servers are not configured to recognize
or process .htaccess files.

For those sites where I really want wiki.d/ out of the web
hierarchy, my approach is generally to install PmWiki outside of
the web hierarchy, and then place an index script inside 
of my web space that has the following:

    <?php
      chdir('/path/to/real/pmwiki');
      include_once('pmwiki.php');

I then create either symlinks or aliases for the pub/ and uploads/
directories, and also explicitly set values for $ScriptUrl and
$PubDirUrl in local/config.php .

That's the basics of the approach that I use.  But as Kathryn
accurately comments in a later message -- there's more than one "right"
way to do it, and because of the many applications and site configurations
it's very difficult to declare any of them as a "preferred" one.
There are a lot of sites in the PmWiki universe that fall into
one or more of the following categories:
   - not running Apache
   - Apache ignores per-directory .htaccess files
   - cannot create aliases
   - cannot create symlinks
   - don't have mod_rewrite available
   - are running farms
   - have PHP safe_mode enabled
   - miscellaneous other factors

Pm




More information about the pmwiki-users mailing list