File permissions
File permissions
One of the important things you can do to help secure your MediaWiki install, is ensure that the user you are running php as (often www-data if using debian) and the user you are running mysql as, does not have write access to any web accessible directory with php enabled.
- On unix-like systems, you can do this by ensuring that the mediawiki
directory/files are owned by someone other than your web server user
(www-data) or mysql server user. Depending on how you installed
MediaWiki this may already be the case, but if not can be accomplished
by doing
chown -R/path/to/MediaWiki/where username is a user other than the webserver or mysql user (commonly you would use your own username provided mysql</> and php are not running as your username).
- After doing that step, you may however need to change the
owner of the image directory back to the php user, as uploaded
files need to go there, so MediaWiki needs to be able to write there
(e.g.
chown -R www-data /path/to/MediaWiki/images). - Next you run
chmod -R go-w /path/to/MediaWikito remove write access from all other users besides the file owners. - After doing that step you may need to re-enable write access to the images directory.
- Directories that MediaWiki needs write access to (such as $wgCacheDirectory if that feature is enabled) should be located outside of the web root. The exception being the images directory, which must be in the web root.
- However, it is important to disable php in the images directory. The
details on how to do this varies with webserver, but on apache it can
sometimes be accomplished by using
php_flag engine offin a .htaccess</> file. If you do accomplish this via a config file in the images directory itself, you should ensure the config file is not writable by the webserver. See the section below on upload security for more details.
- Your LocalSettings.php file must be readable by the php user, however it should not be world readable, to prevent other processes from discovering your database password and other sensitive information. Like all MediaWiki files, the php user should not be able to write to LocalSettings.php.
permissions
New install of MediaWiki 1.28 on Ubuntu 16.04. Permissions for /var/www/html set to 755, owned by me user:www-data.
Did a Download from Git install, before and after doing composer install, the file and directory permissions are readable and writable but not executable for group. Should I set them to 755 manually?
In your MediaWiki directory, the following SSH commands should work:
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
securing
The following picks up on a fresh working LAMP installation under Red Hat 7 or clone (CentOS 7, Scientific Linux 7, Orcale 7, etc). Set Selinux to permissive for the installation.
setenforce 0
First get the Mediawiki version you want from https://releases.wikimedia.org/mediawiki/ , at time of writing latest is https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.0.tar.gz and unpack it in /var/www/html/w.
vi /var/www/html/w/LocalSettings.php
and paste content into file (i -> enter insert mode, CTRL+SHIFT+v to paste content, ESC -> to exit insert mode, ZZ (twice letter Z) to save and exit vi). Now secure LocalSettings.php with
chown root:apache /var/www/html/w/LocalSettings.php
chmod 640 /var/www/html/w/LocalSettings.php
Delete mw-config if it exists, since it is only used for first time setup of mediawiki.
rm -rf /var/www/html/w/mw-config
Enable use of .htaccess files by creating custom configuration file for Apache httpd.
cat >> /etc/httpd/conf.d/custom.conf << EOF
<Directory "/var/www/html/w">
AllowOverride All
EOF
Now one should customize LocalSettings.php to one's taste. Here an overview of variables that can be customized: https://www.mediawiki.org/wiki/Manual:Configuration_settings
Since we want to access our Mediawiki installation under https://www.example.com/wiki we need to set $wgArticlePath in LocalSettings.php. Just add the following line a the bottom of LocalSettings.php
$wgArticlePath = "/wiki/$1";
and update /etc/httpd/conf.d/ssl.conf by adding one line.
<VirtualHost _default_:443>
Alias /wiki /var/www/html/w/index.php # <-- only add this line
selinux
Now finish securing the Mediawiki installation. This *may* be needed for Selinux, e.g. database on different server, etc.
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
This *is* needed for Selinux to run Mediawiki
setsebool -P httpd_builtin_scripting 1
setsebool -P httpd_execmem 1
Set userrights and special Selinux rights, so Apache httpd has read access, but other users beside root don't.
chown -R root:apache /var/www/html/
find /var/www/html/w -type d -exec chmod 750 {} \;
find /var/www/html/w -type f -exec chmod 640 {} \;
Mediawiki writes to images and cache, so they need special write premissions.
chown -R apache:apache /var/www/html/w/images
chown -R apache:apache /var/www/html/w/cache
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/w/cache(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/w/images(/.*)?"
restorecon -R /var/www/html/w
Found Selinux complaining about hugetlbfs, so add an exception.
cd /var/log/audit
grep hugetlbfs audit.log | audit2allow -M hugetlbfs
semodule -i hugetlbfs.pp
Now restart Apache httpd and set Selinux back to enforcing.
setenforce 1
systemctl restart httpd
Understandably this covers only the basics and Mediawiki offers thousands of ways to customize it further to one's taste and security needs.
Don't forget to make regular backups.
Further suggestions can be found here https://www.pozzo-balbi.com/help/Mediawiki .