From 47294262929f6bcb1f25bf25504d53a3b864da43 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 20 Oct 2008 16:55:38 -0400 Subject: pull together info on converting to ikiwiki from other systems --- doc/tips/convert_MoinMoin_and_TWiki_to_ikiwiki.mdwn | 3 +++ doc/tips/convert_mediawiki_to_ikiwiki.mdwn | 4 ++++ 2 files changed, 7 insertions(+) create mode 100644 doc/tips/convert_MoinMoin_and_TWiki_to_ikiwiki.mdwn create mode 100644 doc/tips/convert_mediawiki_to_ikiwiki.mdwn (limited to 'doc/tips') diff --git a/doc/tips/convert_MoinMoin_and_TWiki_to_ikiwiki.mdwn b/doc/tips/convert_MoinMoin_and_TWiki_to_ikiwiki.mdwn new file mode 100644 index 000000000..5565dbd8a --- /dev/null +++ b/doc/tips/convert_MoinMoin_and_TWiki_to_ikiwiki.mdwn @@ -0,0 +1,3 @@ +[[JoshTriplett]] has developed scripts to convert MoinMoin and TWiki wikis +to ikiwikis backed by a git repository, including full history. For +details, see [[his_user_page|JoshTriplett]]. diff --git a/doc/tips/convert_mediawiki_to_ikiwiki.mdwn b/doc/tips/convert_mediawiki_to_ikiwiki.mdwn new file mode 100644 index 000000000..f03703b46 --- /dev/null +++ b/doc/tips/convert_mediawiki_to_ikiwiki.mdwn @@ -0,0 +1,4 @@ +[[sabr]] explains how to [import MediaWiki content into +git](http://u32.net/Mediawiki_Conversion/index.html?updated), including +full edit hostory. The [[plugins/contrib/mediawiki]] plugin can then be +used by ikiwiki to build the wiki. -- cgit v1.2.3 From 2af90681c713c4b54d1dfb7f1cc94cd8bc78a751 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 20 Oct 2008 20:32:07 -0400 Subject: re-encode to utf-8 I noticed the Fedora package doing this as part of its build. --- doc/tips/vim_syntax_highlighting/ikiwiki.vim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/tips') diff --git a/doc/tips/vim_syntax_highlighting/ikiwiki.vim b/doc/tips/vim_syntax_highlighting/ikiwiki.vim index fd87f49a2..bbcad4239 100644 --- a/doc/tips/vim_syntax_highlighting/ikiwiki.vim +++ b/doc/tips/vim_syntax_highlighting/ikiwiki.vim @@ -1,6 +1,6 @@ " Vim syntax file " Language: Ikiwiki (links) -" Maintainer: Recai Oktaþ (roktasATdebian.org) +" Maintainer: Recai OktaÅŸ (roktasATdebian.org) " Last Change: 2007 May 29 " Instructions: -- cgit v1.2.3 From 86ea8adaf3263babd401b7c2d73a1824b99ea908 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Fri, 24 Oct 2008 15:47:18 -0400 Subject: new tip on setting up anonymous push --- doc/tips/untrusted_git_push.mdwn | 119 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 doc/tips/untrusted_git_push.mdwn (limited to 'doc/tips') diff --git a/doc/tips/untrusted_git_push.mdwn b/doc/tips/untrusted_git_push.mdwn new file mode 100644 index 000000000..48024566b --- /dev/null +++ b/doc/tips/untrusted_git_push.mdwn @@ -0,0 +1,119 @@ +This tip will describe how to allow anyone on the planet to `git push` +changes into your wiki, without needing a special account. All a user needs +to know is: + + git clone git://your.wiki/path + # now modify any of the files the wiki would let you modify on the web + git push + +This is a wonderful thing to set up for users, because then they can work +on the wiki while offline, and they don't need to mess around with web +browsers. + +## security + +But, you might be wondering, how can this possibly be secure. Won't users +upload all sorts of garbage, change pages you don't want them to edit, and so +on. + +The key to making it secure is configuring ikiwiki to run as your git +repository's `pre-receive` hook. There it will examine every change that +untrusted users push into the wiki, and reject pushes that contain changes +that cannot be made using the web interface. + +So, unless you have the [[ikiwiki/plugin/attachment]] plugin turned on, +non-page files cannot be added. And if it's turned on, whatever +`allowed_attachments` checks you have configured will also check files +pushed into git. + +And, unless you have the [[ikiwiki/plugin/remove]] plugin turned on, no +files can be deleted. + +And if you have `locked_pages` configured, then it will also affect what's +pushed into git. + +Untrusted committers will also not be able to upload files with strange +modes, or push to any branch except for the configured `gitorigin_branch`, +or manipulate tags. + +One thing to keep an eye on is uploading large files. It may be easier to +do this via git push than using the web, and that could be abused. + +## user setup + +Add a dedicated user who will push in untrusted commits. This user should have +a locked password, and `git-shell` as its shell. + + root@bluebird:/home/joey>adduser --shell=/usr/bin/git-shell--disabled-password anon + Adding user `anon' ... + +## ikiwiki setup + +You should set up ikiwiki before turning on anonymous push in git. + +Edit your wiki's setup file, and uncomment the lines for +`git_test_receive_wrapper` and `untrusted_committers`. + + # git pre-receive hook to generate + git_test_receive_wrapper => '/srv/git/ikiwiki.info/.git/hooks/pre-receive', + # unix users whose commits should be checked by the pre-receive hook + untrusted_committers => ['anon'], + +The `git_test_receive_wrapper` will become the git `pre-receive` hook. The +`untrusted_committers` list is the list of unix users who will be pushing in +untrusted changes. It should *not* include the user that ikiwiki normally runs +as. + +Once you're done modifying the setup file, don't forget to run +`ikiwiki -setup --refresh --wrappers` on it. + +## git setup + +You'll need to arrange the permissions on your bare git repository so that +user anon can write to it. One way to do it is to create a group, and put +both anon and your regular user in that group. Then make make the bare git +repository owned and writable by the group. See [[rcs/git]] for some more +tips on setting up a git repository with multiple committers. + +Note that anon should *not* be able to write to the `srcdir`, *only* to the bare git +repository for your wiki. + +If you want to allow git over `ssh`, generate a ssh key for anon, and +publish the *private* key for other people to use. This is optional; you +can use `git-daemon` instead and not worry about keys. + +Now set up `git-daemon`. It will need to run as user `anon`, and be +configured to export your wiki's bare git repository. I set it up as +follows in `/etc/inetd.conf`, and ran `/etc/init.d/openbsd-inetd restart`. + + git stream tcp nowait anon /usr/bin/git-daemon git-daemon --inetd --export-all --interpolated-path=/srv/git/%H%D /srv/git + +At this point you should be able to `git clone git://your.wiki/path` from +anywhere, and check out the source to your wiki. But you won't be able to +push to it yet, one more change is needed to turn that on. Edit the +`config` file of your bare git repository, and allow `git-daemon` to +receive pushes: + + [daemon] + receivepack = true + +Now pushes should be accepted, and your wiki immediatly be updated. If it +doesn't, check your git repo's permissions, and make sure that the +`post-update` and `pre-receive` hooks are suid so they run as the user who +owns the `srcdir`. + +## infelicities + +If a user tries to push a changeset that ikiwiki doesn't like, it will +abort the push before refs are updated. However, the changeset will still +be present in your repository, wasting space. Since nothing refers to it, +it will be expired eventually. You can speed up the expiry by running `git +prune`. + +When aborting a push, ikiwiki displays an error message about why it didn't +accept it. If using git over ssh, the user will see this error message, +which is probably useful to them. But `git-daemon` is buggy, and hides this +message from the user. This can make it hard for users to figure out why +their push was rejected. (If this happens to you, look at "'git log --stat +origin/master..`" and think about whether your changes would be accepted +over the web interface.) -- cgit v1.2.3 From 0538498ed05f4abf3cb5102c299392d4b4c0086d Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Fri, 24 Oct 2008 16:21:22 -0400 Subject: links --- doc/tips/untrusted_git_push.mdwn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'doc/tips') diff --git a/doc/tips/untrusted_git_push.mdwn b/doc/tips/untrusted_git_push.mdwn index 48024566b..958e04e77 100644 --- a/doc/tips/untrusted_git_push.mdwn +++ b/doc/tips/untrusted_git_push.mdwn @@ -21,12 +21,12 @@ repository's `pre-receive` hook. There it will examine every change that untrusted users push into the wiki, and reject pushes that contain changes that cannot be made using the web interface. -So, unless you have the [[ikiwiki/plugin/attachment]] plugin turned on, +So, unless you have the [[plugins/attachment]] plugin turned on, non-page files cannot be added. And if it's turned on, whatever `allowed_attachments` checks you have configured will also check files pushed into git. -And, unless you have the [[ikiwiki/plugin/remove]] plugin turned on, no +And, unless you have the [[plugins/remove]] plugin turned on, no files can be deleted. And if you have `locked_pages` configured, then it will also affect what's -- cgit v1.2.3 From 8b1313825c7316fccc0f098f8669c3f74df3df28 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Fri, 24 Oct 2008 16:31:51 -0400 Subject: note about spoofing --- doc/tips/untrusted_git_push.mdwn | 3 +++ 1 file changed, 3 insertions(+) (limited to 'doc/tips') diff --git a/doc/tips/untrusted_git_push.mdwn b/doc/tips/untrusted_git_push.mdwn index 958e04e77..b7dba74c6 100644 --- a/doc/tips/untrusted_git_push.mdwn +++ b/doc/tips/untrusted_git_push.mdwn @@ -39,6 +39,9 @@ or manipulate tags. One thing to keep an eye on is uploading large files. It may be easier to do this via git push than using the web, and that could be abused. +Also, no checking is done that the authors of commits are right, so people +can make a commit that pretends to be done by someone else. + ## user setup Add a dedicated user who will push in untrusted commits. This user should have -- cgit v1.2.3 From 62d25b61f99796d85ad1dde016cb446594bcbb3a Mon Sep 17 00:00:00 2001 From: Jason Blevins Date: Fri, 24 Oct 2008 17:11:11 -0400 Subject: Fix typo --- doc/tips/untrusted_git_push.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/tips') diff --git a/doc/tips/untrusted_git_push.mdwn b/doc/tips/untrusted_git_push.mdwn index b7dba74c6..aef67a3db 100644 --- a/doc/tips/untrusted_git_push.mdwn +++ b/doc/tips/untrusted_git_push.mdwn @@ -47,7 +47,7 @@ can make a commit that pretends to be done by someone else. Add a dedicated user who will push in untrusted commits. This user should have a locked password, and `git-shell` as its shell. - root@bluebird:/home/joey>adduser --shell=/usr/bin/git-shell--disabled-password anon + root@bluebird:/home/joey>adduser --shell=/usr/bin/git-shell --disabled-password anon Adding user `anon' ... ## ikiwiki setup -- cgit v1.2.3