summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess <joey@gnu.kitenet.net>2009-05-15 21:47:55 -0400
committerJoey Hess <joey@gnu.kitenet.net>2009-05-15 21:47:55 -0400
commitdf112ed89e2e8fc5c4c449758968ccd21a10ad30 (patch)
treecebd0a8a36a4711eced368c8af11484c07918b41
parent84ce21f85d730507952301046b1f4fa8773f5dda (diff)
response
-rw-r--r--doc/tips/dot_cgi.mdwn6
-rw-r--r--doc/tips/dot_cgi/discussion.mdwn35
2 files changed, 33 insertions, 8 deletions
diff --git a/doc/tips/dot_cgi.mdwn b/doc/tips/dot_cgi.mdwn
index 04d7a9721..64d7a0757 100644
--- a/doc/tips/dot_cgi.mdwn
+++ b/doc/tips/dot_cgi.mdwn
@@ -52,6 +52,6 @@ Note that the first part enables cgi server wide but depending on default
configuration, it may be not enough. The second part creates a specific
rule that allow `ikiwiki.cgi` to be executed.
-**Warning:** I only use this on my development server (offline). I am not
-sure of how secure this approach is. If you have any thought about it, feel
-free to let me know.
+**Warning:** I only use this lighttpd configuration on my development
+server (offline). I am not sure of how secure this approach is.
+If you have any thought about it, feel free to let me know.
diff --git a/doc/tips/dot_cgi/discussion.mdwn b/doc/tips/dot_cgi/discussion.mdwn
index 4bb0007bd..124b9edff 100644
--- a/doc/tips/dot_cgi/discussion.mdwn
+++ b/doc/tips/dot_cgi/discussion.mdwn
@@ -1,11 +1,36 @@
## warning: lighttpd only or both?
-Is your warning at the bottom (you don't know how secure it is) only about lighttpd or it's about apache2 configuration as well?
+Is your warning at the bottom (you don't know how secure it is) only about
+lighttpd or it's about apache2 configuration as well?
-I'm asking this because right now I want to setup an httpd solely for the public use of ikiwiki on a general purpose computer (there are other things there), and so I need to choose the more secure solution. --Ivan Z.
+> The latter. (Although I don't know why using lighttpd would lead
+> to any additional security exposure anyway.) --[[Joey]]
-> AFAIU, my main simplest security measure should be running the public ikiwiki's cgi under a special user, but then: how do I push to the repo owned by that other user? I see, probably I should setup the public wiki under the special user (so that it was able to create the cgi-script with the desired permission), and then give my personal user the required permissions to make a git-push by, say, creating a special Unix group for this.
+I'm asking this because right now I want to setup an httpd solely for the
+public use of ikiwiki on a general purpose computer (there are other things
+there), and so I need to choose the more secure solution. --Ivan Z.
-> Shouldn't there be a page here which would document a secure public and multi-user installation of ikiwiki (by "multi-user" I mean writable by a group of local Unix users)? If there isn't such yet, I started writing it with this discussion.--Ivan Z.
+> AFAIU, my main simplest security measure should be running the public
+> ikiwiki's cgi under a special user, but then: how do I push to the repo
+> owned by that other user? I see, probably I should setup the public wiki
+> under the special user (so that it was able to create the cgi-script with
+> the desired permission), and then give my personal user the required
+> permissions to make a git-push by, say, creating a special Unix group for
+> this.
-> I see, perhaps a simpler setup would not make use of a Unix group, but simply allow pushing to the public wiki (kept under a special user) through git+ssh. --Ivan Z.
+> Shouldn't there be a page here which would document a secure public and
+> multi-user installation of ikiwiki (by "multi-user" I mean writable by a
+> group of local Unix users)? If there isn't such yet, I started writing it
+> with this discussion.--Ivan Z.
+
+> I see, perhaps a simpler setup would not make use of a Unix group, but
+> simply allow pushing to the public wiki (kept under a special user) through
+> git+ssh. --Ivan Z.
+
+>> Yes, it's certianly possible to configure git (and svn, etc) repositories so that
+>> two users can both push to them. There should be plenty of docs out there
+>> about doing that.
+>>
+>> The easiest way though is probably
+>> to add your ssh key to the special user's `.ssh/authorized_keys`
+>> and push that way. --[[Joey]]