This page explores some WikiFarm security concerns.
Questions that are answered by this recipe
What should I do to "lock down" my farm installation? How can I make sure there won't be an unintentional open wiki running on my server?
A wiki located in the same directory as the PmWiki software is called the home wiki. If you start with a stand-alone installation and add a wiki, the original wiki becomes a home wiki. For many farm installations there's no compelling reason to stop using the home wiki, although usually when an administrator installs a farm from scratch it's disabled.
Keeping the home wiki
The main difference between a home wiki and a wiki installed in other than the PmWiki directory is that any cookbook recipe or anything placed in the home wiki's pub/ directory, skins in particular, becomes available to any wiki in a farm. These point to the same directory in the home wiki, and different directories otherwise:
As a "best practice" it is probably wise to always use the top style in a home wiki.
Moving a home wiki
For the most part moving a home wiki to another directory only involves creating a new empty wiki from scratch and moving wiki.d/ and local/config.php to it.
There's one caveat: You can't always just copy or move a config.php file from a home wiki to a non-home wiki and have it work. You need to switch to the top version of the two examples above, where "
$FarmD/" is part of the path to scripts in the farm's (and home wiki's) scripts/ and cookbook/ directories. Be sure to use double quotes ("), not single (').
Disabling the home wiki
If you aren't using a home wiki be sure to disable it. It's easy to do.
On some server platforms the webserver can write to the filesystem by default. In that environment, merely visiting the URL of pmwiki.php will cause the home wiki to be established. To assure that a home wiki cannot be created, place a config.php file with the following single line in your farm's local/ directory:
<?php header('HTTP/1.0 403 Forbidden'); exit;
Or, if you want to provide an error message, use these lines:
<?php # Disable the home wiki for this farm. header('HTTP/1.0 403 Forbidden'); exit('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD><TITLE>403 Forbidden</TITLE></HEAD> <BODY><H1>403 Forbidden</H1> <P>You don\'t have permission to access the requested file. </BODY></HTML>');
Depending on your web server's configuration, you may also want to put the same script in the directory with pmwiki.php and name the other copy index.php so it will become the index file for the directory where PmWiki is installed.
Denying access with .htaccess
If your server supports it, you can create a .htaccess file in the farm's installation directory (where pmwiki.php resides) with this:
Order Deny, Allow Deny from All
and create another .htaccess file in the farm's pub/ directory with this:
Allow from All
The first .htaccess file prevents public access to the farm installation, including pmwiki.php and the scripts/ and cookbook/ directories. The second .htaccess file allows browser access to the pub/ directory and its subdirectories like css/, guiedit/ and skins/.
Installing PmWiki outside the web document tree
Installing PmWiki outside the web space has the effect of denying web access to the software's files and also disables the home wiki. Only the pub/ directory (the directory that holds publicly-accessible files) needs to be reachable by a web browser.
Just be sure that
$FarmPubDirUrl is configured to the URL that corresponds to the pub directory. For example, you might put this line in farmconfig.php to do that:
$FarmPubDirUrl = 'http://www.example.com/pub';
$FarmPubDirUrl = 'http://www.example.com/pmwiki/pub';
This is just PmWiki, unpacked into a directory with pub/ moved out and a farmconfig.php created in local/:
/usr/local/pmwiki/ |-- pmwiki.php |-- wikilib.d/ (default pages) |-- cookbook/ (farm-wide cookbook) |-- docs/ |-- scripts/ `-- local/ `-- farmconfig.php (farm-wide configuration file)
Here are the farm's pub/ directory and some directories and files for a sample wiki. The sample wiki's directories and files would be created from scratch by the administrator and PmWiki. (Ideally PmWiki will have created wiki.d/ and uploads/.):
/var/www/ (web document root) | |-- pub/ (wikis' publicly-accessible files) | `-- wiki/ |-- index.php (wrapper script) |-- wiki.d/ (wiki's page storage) |-- local/ (wiki's local configuration) | |-- config.php (...for the entire wiki) | |-- Group.php (...for the Group wikigroup) | `-- Group.Name.php (...for the Group.Name page) |-- cookbook/ (wiki's recipes) |-- uploads/ (wiki's page attachments) `-- pub/ (wikis' publicly-accessible files)
This space is for notes, not questions, etc. If you have a home wiki (a wiki installed in the same directory as the PmWiki software), there's not a compelling reason to convert it to a wiki that is installed away from the PmWiki installation.
- WebServerSecurity for more information about .htaccess files.
- PmWiki.Security for other pages about security.
- WikiFarmAlternative for moving wiki.d outside of the web-accessible area.
See discussion at FarmSecurity-Talk