File permissions: Difference between revisions

From www.ReeltoReel.nl Wiki
Jump to navigation Jump to search
mNo edit summary
 
Line 14: Line 14:
* Your LocalSettings.php file must be readable by the php user, however it should not be world readable, to prevent other processes from discovering your database password and other sensitive information. Like all MediaWiki files, the php user should not be able to write to LocalSettings.php.
* Your LocalSettings.php file must be readable by the php user, however it should not be world readable, to prevent other processes from discovering your database password and other sensitive information. Like all MediaWiki files, the php user should not be able to write to LocalSettings.php.


==permissions==
New install of MediaWiki 1.28 on Ubuntu 16.04. Permissions for /var/www/html set to 755, owned by me user:www-data.
Did a Download from Git install, before and after doing composer install, the file and directory permissions are readable and writable but not executable for group. Should I set them to 755 manually?
In your MediaWiki directory, the following SSH commands should work:
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
==securing==
==securing==



Latest revision as of 07:24, 21 September 2018

File permissions

One of the important things you can do to help secure your MediaWiki install, is ensure that the user you are running php as (often www-data if using debian) and the user you are running mysql as, does not have write access to any web accessible directory with php enabled.

  • On unix-like systems, you can do this by ensuring that the mediawiki directory/files are owned by someone other than your web server user (www-data) or mysql server user. Depending on how you installed MediaWiki this may already be the case, but if not can be accomplished by doing chown -R <usernamehere> /path/to/MediaWiki/ where username is a user other than the webserver or mysql user (commonly you would use your own username provided mysql</> and php are not running as your username).
  • After doing that step, you may however need to change the owner of the image directory back to the php user, as uploaded files need to go there, so MediaWiki needs to be able to write there (e.g. chown -R www-data /path/to/MediaWiki/images).
  • Next you run chmod -R go-w /path/to/MediaWiki to remove write access from all other users besides the file owners.
  • After doing that step you may need to re-enable write access to the images directory.
  • Directories that MediaWiki needs write access to (such as $wgCacheDirectory if that feature is enabled) should be located outside of the web root. The exception being the images directory, which must be in the web root.
  • However, it is important to disable php in the images directory. The details on how to do this varies with webserver, but on apache it can sometimes be accomplished by using php_flag engine off in a .htaccess</> file. If you do accomplish this via a config file in the images directory itself, you should ensure the config file is not writable by the webserver. See the section below on upload security for more details.
  • Your LocalSettings.php file must be readable by the php user, however it should not be world readable, to prevent other processes from discovering your database password and other sensitive information. Like all MediaWiki files, the php user should not be able to write to LocalSettings.php.

permissions

New install of MediaWiki 1.28 on Ubuntu 16.04. Permissions for /var/www/html set to 755, owned by me user:www-data.

Did a Download from Git install, before and after doing composer install, the file and directory permissions are readable and writable but not executable for group. Should I set them to 755 manually?

In your MediaWiki directory, the following SSH commands should work:

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

securing

The following picks up on a fresh working LAMP installation under Red Hat 7 or clone (CentOS 7, Scientific Linux 7, Orcale 7, etc). Set Selinux to permissive for the installation.

   setenforce 0

First get the Mediawiki version you want from https://releases.wikimedia.org/mediawiki/ , at time of writing latest is https://releases.wikimedia.org/mediawiki/1.27/mediawiki-1.27.0.tar.gz and unpack it in /var/www/html/w.

Navigate to https://www.example.com/w and follow on-screen instructions to generate content used for LocalSettings.php. Create LocalSettings.php with

   vi /var/www/html/w/LocalSettings.php

and paste content into file (i -> enter insert mode, CTRL+SHIFT+v to paste content, ESC -> to exit insert mode, ZZ (twice letter Z) to save and exit vi). Now secure LocalSettings.php with

   chown root:apache /var/www/html/w/LocalSettings.php
   chmod 640 /var/www/html/w/LocalSettings.php

Delete mw-config if it exists, since it is only used for first time setup of mediawiki.

   rm -rf /var/www/html/w/mw-config

Enable use of .htaccess files by creating custom configuration file for Apache httpd.

   cat >> /etc/httpd/conf.d/custom.conf << EOF
   <Directory "/var/www/html/w">
    AllowOverride All
   </Directory>
   EOF

Now one should customize LocalSettings.php to one's taste. Here an overview of variables that can be customized: https://www.mediawiki.org/wiki/Manual:Configuration_settings

Since we want to access our Mediawiki installation under https://www.example.com/wiki we need to set $wgArticlePath in LocalSettings.php. Just add the following line a the bottom of LocalSettings.php

   $wgArticlePath = "/wiki/$1";

and update /etc/httpd/conf.d/ssl.conf by adding one line.

   <VirtualHost _default_:443>
   Alias /wiki /var/www/html/w/index.php  # <-- only add this line

selinux

Now finish securing the Mediawiki installation. This *may* be needed for Selinux, e.g. database on different server, etc.

   setsebool -P httpd_can_network_connect 1
   setsebool -P httpd_can_network_connect_db 1

This *is* needed for Selinux to run Mediawiki

   setsebool -P httpd_builtin_scripting 1
   setsebool -P httpd_execmem 1

Set userrights and special Selinux rights, so Apache httpd has read access, but other users beside root don't.

   chown -R root:apache /var/www/html/
   find /var/www/html/w -type d -exec chmod 750 {} \;
   find /var/www/html/w -type f -exec chmod 640 {} \;

Mediawiki writes to images and cache, so they need special write premissions.

   chown -R apache:apache /var/www/html/w/images
   chown -R apache:apache /var/www/html/w/cache
   semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/w/cache(/.*)?"
   semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/w/images(/.*)?"
   restorecon -R /var/www/html/w

Found Selinux complaining about hugetlbfs, so add an exception.

   cd /var/log/audit
   grep hugetlbfs audit.log | audit2allow -M hugetlbfs
   semodule -i hugetlbfs.pp

Now restart Apache httpd and set Selinux back to enforcing.

   setenforce 1
   systemctl restart httpd

Understandably this covers only the basics and Mediawiki offers thousands of ways to customize it further to one's taste and security needs.

Don't forget to make regular backups.

Further suggestions can be found here https://www.pozzo-balbi.com/help/Mediawiki .