From af3b457b80d9cd7fa85514e1f1dd583e2f165ba3 Mon Sep 17 00:00:00 2001 From: "http://lj.rossia.org/users/imz/" Date: Fri, 15 May 2009 18:51:13 -0400 Subject: Q: warning: lighttpd only or both? --- doc/tips/dot_cgi/discussion.mdwn | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 doc/tips/dot_cgi/discussion.mdwn (limited to 'doc/tips/dot_cgi') diff --git a/doc/tips/dot_cgi/discussion.mdwn b/doc/tips/dot_cgi/discussion.mdwn new file mode 100644 index 000000000..982621295 --- /dev/null +++ b/doc/tips/dot_cgi/discussion.mdwn @@ -0,0 +1,5 @@ +## warning: lighttpd only or both? + +Is your warning at the bottom (you don't know how secure it is) only about lighttpd or it's about apache2 configuration as well? + +I'm asking this because right now I want to setup an httpd solely for the public use of ikiwiki on a general puprpose computer (there are other things there), and so I need to choose the more secure solution. --Ivan Z. -- cgit v1.2.3 From 5d8fa0de2736b615b62f6c5df4c015ee868fe703 Mon Sep 17 00:00:00 2001 From: "http://lj.rossia.org/users/imz/" Date: Fri, 15 May 2009 19:03:24 -0400 Subject: More my thoughts about making a secure public wiki -- perhaps someone will find them useful --- doc/tips/dot_cgi/discussion.mdwn | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'doc/tips/dot_cgi') diff --git a/doc/tips/dot_cgi/discussion.mdwn b/doc/tips/dot_cgi/discussion.mdwn index 982621295..50e6fd9d5 100644 --- a/doc/tips/dot_cgi/discussion.mdwn +++ b/doc/tips/dot_cgi/discussion.mdwn @@ -2,4 +2,6 @@ Is your warning at the bottom (you don't know how secure it is) only about lighttpd or it's about apache2 configuration as well? -I'm asking this because right now I want to setup an httpd solely for the public use of ikiwiki on a general puprpose computer (there are other things there), and so I need to choose the more secure solution. --Ivan Z. +I'm asking this because right now I want to setup an httpd solely for the public use of ikiwiki on a general purpose computer (there are other things there), and so I need to choose the more secure solution. --Ivan Z. +> AFAIU, my main simplest security measure should be running the public ikiwiki's cgi under a special user, but then: how do I push to the repo owned by that other user? I see, probably I should setup the public wiki under the special user (so that it was able to create the cgi-script with the desired permission), and then give my personal user the required permissions to make a git-push by, say, creating a special Unix group for this. +> Shouldn't there be a page here which would document a secure public and multi-user installation of ikiwiki (by "multi-user" I mean writable by a group of local Unix users)? If there isn't such yet, I started writing it with this discussion.--Ivan Z. -- cgit v1.2.3 From 99018a65e5f4cb7378b4e78d2357d3f07f39691a Mon Sep 17 00:00:00 2001 From: "http://lj.rossia.org/users/imz/" Date: Fri, 15 May 2009 19:04:21 -0400 Subject: minor: formatting --- doc/tips/dot_cgi/discussion.mdwn | 2 ++ 1 file changed, 2 insertions(+) (limited to 'doc/tips/dot_cgi') diff --git a/doc/tips/dot_cgi/discussion.mdwn b/doc/tips/dot_cgi/discussion.mdwn index 50e6fd9d5..8bca5ef5a 100644 --- a/doc/tips/dot_cgi/discussion.mdwn +++ b/doc/tips/dot_cgi/discussion.mdwn @@ -3,5 +3,7 @@ Is your warning at the bottom (you don't know how secure it is) only about lighttpd or it's about apache2 configuration as well? I'm asking this because right now I want to setup an httpd solely for the public use of ikiwiki on a general purpose computer (there are other things there), and so I need to choose the more secure solution. --Ivan Z. + > AFAIU, my main simplest security measure should be running the public ikiwiki's cgi under a special user, but then: how do I push to the repo owned by that other user? I see, probably I should setup the public wiki under the special user (so that it was able to create the cgi-script with the desired permission), and then give my personal user the required permissions to make a git-push by, say, creating a special Unix group for this. + > Shouldn't there be a page here which would document a secure public and multi-user installation of ikiwiki (by "multi-user" I mean writable by a group of local Unix users)? If there isn't such yet, I started writing it with this discussion.--Ivan Z. -- cgit v1.2.3 From 1f185c5d408e1136a2c53537ef48cbce5652e8cf Mon Sep 17 00:00:00 2001 From: "http://lj.rossia.org/users/imz/" Date: Fri, 15 May 2009 19:21:25 -0400 Subject: a simplification to my previous hint about a trivial setup --- doc/tips/dot_cgi/discussion.mdwn | 2 ++ 1 file changed, 2 insertions(+) (limited to 'doc/tips/dot_cgi') diff --git a/doc/tips/dot_cgi/discussion.mdwn b/doc/tips/dot_cgi/discussion.mdwn index 8bca5ef5a..4bb0007bd 100644 --- a/doc/tips/dot_cgi/discussion.mdwn +++ b/doc/tips/dot_cgi/discussion.mdwn @@ -7,3 +7,5 @@ I'm asking this because right now I want to setup an httpd solely for the public > AFAIU, my main simplest security measure should be running the public ikiwiki's cgi under a special user, but then: how do I push to the repo owned by that other user? I see, probably I should setup the public wiki under the special user (so that it was able to create the cgi-script with the desired permission), and then give my personal user the required permissions to make a git-push by, say, creating a special Unix group for this. > Shouldn't there be a page here which would document a secure public and multi-user installation of ikiwiki (by "multi-user" I mean writable by a group of local Unix users)? If there isn't such yet, I started writing it with this discussion.--Ivan Z. + +> I see, perhaps a simpler setup would not make use of a Unix group, but simply allow pushing to the public wiki (kept under a special user) through git+ssh. --Ivan Z. -- cgit v1.2.3 From df112ed89e2e8fc5c4c449758968ccd21a10ad30 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Fri, 15 May 2009 21:47:55 -0400 Subject: response --- doc/tips/dot_cgi.mdwn | 6 +++--- doc/tips/dot_cgi/discussion.mdwn | 35 ++++++++++++++++++++++++++++++----- 2 files changed, 33 insertions(+), 8 deletions(-) (limited to 'doc/tips/dot_cgi') diff --git a/doc/tips/dot_cgi.mdwn b/doc/tips/dot_cgi.mdwn index 04d7a9721..64d7a0757 100644 --- a/doc/tips/dot_cgi.mdwn +++ b/doc/tips/dot_cgi.mdwn @@ -52,6 +52,6 @@ Note that the first part enables cgi server wide but depending on default configuration, it may be not enough. The second part creates a specific rule that allow `ikiwiki.cgi` to be executed. -**Warning:** I only use this on my development server (offline). I am not -sure of how secure this approach is. If you have any thought about it, feel -free to let me know. +**Warning:** I only use this lighttpd configuration on my development +server (offline). I am not sure of how secure this approach is. +If you have any thought about it, feel free to let me know. diff --git a/doc/tips/dot_cgi/discussion.mdwn b/doc/tips/dot_cgi/discussion.mdwn index 4bb0007bd..124b9edff 100644 --- a/doc/tips/dot_cgi/discussion.mdwn +++ b/doc/tips/dot_cgi/discussion.mdwn @@ -1,11 +1,36 @@ ## warning: lighttpd only or both? -Is your warning at the bottom (you don't know how secure it is) only about lighttpd or it's about apache2 configuration as well? +Is your warning at the bottom (you don't know how secure it is) only about +lighttpd or it's about apache2 configuration as well? -I'm asking this because right now I want to setup an httpd solely for the public use of ikiwiki on a general purpose computer (there are other things there), and so I need to choose the more secure solution. --Ivan Z. +> The latter. (Although I don't know why using lighttpd would lead +> to any additional security exposure anyway.) --[[Joey]] -> AFAIU, my main simplest security measure should be running the public ikiwiki's cgi under a special user, but then: how do I push to the repo owned by that other user? I see, probably I should setup the public wiki under the special user (so that it was able to create the cgi-script with the desired permission), and then give my personal user the required permissions to make a git-push by, say, creating a special Unix group for this. +I'm asking this because right now I want to setup an httpd solely for the +public use of ikiwiki on a general purpose computer (there are other things +there), and so I need to choose the more secure solution. --Ivan Z. -> Shouldn't there be a page here which would document a secure public and multi-user installation of ikiwiki (by "multi-user" I mean writable by a group of local Unix users)? If there isn't such yet, I started writing it with this discussion.--Ivan Z. +> AFAIU, my main simplest security measure should be running the public +> ikiwiki's cgi under a special user, but then: how do I push to the repo +> owned by that other user? I see, probably I should setup the public wiki +> under the special user (so that it was able to create the cgi-script with +> the desired permission), and then give my personal user the required +> permissions to make a git-push by, say, creating a special Unix group for +> this. -> I see, perhaps a simpler setup would not make use of a Unix group, but simply allow pushing to the public wiki (kept under a special user) through git+ssh. --Ivan Z. +> Shouldn't there be a page here which would document a secure public and +> multi-user installation of ikiwiki (by "multi-user" I mean writable by a +> group of local Unix users)? If there isn't such yet, I started writing it +> with this discussion.--Ivan Z. + +> I see, perhaps a simpler setup would not make use of a Unix group, but +> simply allow pushing to the public wiki (kept under a special user) through +> git+ssh. --Ivan Z. + +>> Yes, it's certianly possible to configure git (and svn, etc) repositories so that +>> two users can both push to them. There should be plenty of docs out there +>> about doing that. +>> +>> The easiest way though is probably +>> to add your ssh key to the special user's `.ssh/authorized_keys` +>> and push that way. --[[Joey]] -- cgit v1.2.3