potential security issue questions
Forgive me I'm new to Media Wiki's but how dangerous is it to give read, write access to all potential users?
Start telnet with port22 find / -name 'compiled_templates' [cr] [result] /share/MD0_DATA/Qweb/mediawiki-1.15.1/extensions/Widgets/compiled_templates chmod a+rw /share/MD0_DATA/Qweb/mediawiki-1.15.1/extensions/Widgets/compiled_templates
I was just wondering if there is any more secure way of doing this so that a would be hacker couldn't mess this up, or is there something I'm missing that makes this more secure then I think it is?
thanks for you time
I'm not the extension author, so I'm basing this on other knowledge I have on how webservers work, etc.
From what I can tell, the reason to make this writable by everyone is because the webserver runs as a (presumably) different user than you who owns the files. Since the webserver (PHP specifically) needs to be able to write to that directory, you need to give that user write permissions. The easiest way to do this without assuming people have strong working knowledge of linux permissions is to simply make it writable by everyone. Is this the most secure way to do so? Absolutely not, but it certainly is the easiest to follow. Alternatives include running PHP as a CGI module (via fastcgi or similar) in apache so that the PHP gets executed as the user who owns the file, and thus you would not need to make it world-writable. Another alternative is to chown/chgrp (dunno if chgrp is a command or not, but it sounds like it should be) to the user php/apache is running as (probably www-data or nobody) so that you can set user/group permissions instead of world permissions.
There is no way around it until Widgets are rewritten using new Smarty which does not require the files on the drive to be created.
