File permissions

From www.ReeltoReel.nl Wiki
Revision as of 06:19, 21 September 2018 by Pvdm (talk | contribs)
Jump to navigation Jump to search

File permissions

One of the important things you can do to help secure your MediaWiki install, is ensure that the user you are running php as (often www-data if using debian) and the user you are running mysql as, does not have write access to any web accessible directory with php enabled.

On unix-like systems, you can do this by ensuring that the mediawiki directory/files are owned by someone other than your web server user (www-data) or mysql server user. Depending on how you installed MediaWiki this may already be the case, but if not can be accomplished by doing chown -R <usernamehere> /path/to/MediaWiki/</> where username is a user other than the webserver or mysql user (commonly you would use your own username provided mysql</> and php</> are not running as your username).

After doing that step, you may however need to change the owner of the image directory back to the php user, as uploaded files need to go there, so MediaWiki needs to be able to write there (e.g. chown -R www-data /path/to/MediaWiki/images). Next you run chmod -R go-w /path/to/MediaWiki</> to remove write access from all other users besides the file owners. After doing that step you may need to re-enable write access to the images directory.

Directories that MediaWiki needs write access to (such as $wgCacheDirectory if that feature is enabled) should be located outside of the web root. The exception being the images directory, which must be in the web root. However, it is important to disable php in the images directory. The details on how to do this varies with webserver, but on apache it can sometimes be accomplished by using php_flag engine off</> in a .htaccess</> file. If you do accomplish this via a config file in the images directory itself, you should ensure the config file is not writable by the webserver. See the section below on upload security for more details.

Your <tvar|ls>LocalSettings.php</> file must be readable by the php user, however it should not be world readable, to prevent other processes from discovering your database password and other sensitive information. Like all MediaWiki files, the php user should not be able to write to LocalSettings.php.