Get XOOPS XOOPSXOOPS FAQFAQ ForumsForums NewsNews ThemesThemes ModulesModules

Search


Advanced Search

Donate to XOOPS!

Please select an amount to donate


Do you want your username revealed with your donation?
Yes - List me as a Generous Donor
No - List my donation as from an Anonymous Donor


XOOPS Blue Move XOOPS Giftshop XOOPS Blue Move
Share


Local Support

Advertisement

XOOPS Code hosted on SourceForge

Cumulus Tag Cloud

admin Arabic banner block Christmas comments cumulus DayDawn dhsoft e-Commerce E-Learning Git Google GUI hacks instant-zero jQuery module mygalleries news Nordic Olédrion oxygen PageRank PHP rmcommon security SEO simple-XOOPS Smarty sport tag Theme tutorial wiki WOX xoops XoopsEngine ZendFramework
more...

New Users

Registering user

# 133948

guilhermeans

Welcome to XOOPS!
[Main Page]

Paranoid Permissions

From XOOPS Web Application System

Main Page | Recent changes | Edit this page | Page history | Switch to MediaWiki mode

Printable version | Disclaimers | Privacy policy
Categories: English documentation | MediaWiki User's Guide

{{#if: |{{#if: |{{H:h}}|Template:H:h Help}}|Template:H:h Help}}

[edit]

Apache and CGIWrap

If you have your own server running Apache and are running PHP as CGI, you can install CGIWrap. This tool enables you to run the Apache server as a different user for CGIs.

That way, you can create a new user for your MediaWiki pages. Installing CGIWrap is beyond the scope of this document, especially since you must compile it accordingly to your own server. However, as a quick guideline, you can follow these rules:

  • Create a Wikimedia user 
useradd -M -s /sbin/nologin wikiuser
  • Have a cgi-bin folder, containing CGIWrap (example in /home/myuser/cgi-bin). Once everything is configured, keep only cgiwrap, move the debug versions to another folder if you ever need it. Your cgiwrap file should be accessible only to Apache (chown and chmod accordingly). 
chown apache:apache cgiwrap
chmod 500 cgiwrap
  • Inside the cgi-bin folder, create a symbolic link to the Wikimedia root. 
ln -s /home/myuser/public_html/wiki /home/myuser/cgi-bin/wikilink
  • In your wiki's .htaccess file, add the following definitions: 
AddHandler php-wrapper .php
Action php-wrapper /cgi-bin/cgiwrap/wikiuser/wikilink
  • Finally, chown and chmod all the .php files of your Wikimedia folder to be accessible solely by wikiuser. 
chown -R wikiuser:wikiuser *.php
chmod -R 500 *.php

The files will be accessible as usual. You do not need to specify in your path any cgi-bin, as this is transparently taken care for you.

I strongly suggest you start out with /cgi-bin/cgiwrapd/... as your php-wrapper, as it will precisely show what is currently working. I also strongly suggest you do not delete your CGIWrap source folder until everything works perfectly as this is a real trial and error process, taking a long time. However, it's all worth your time as your MediaWiki will be run in its own separate process, in its own uid, without being able to interfere any other uid. Inverse is also true, except for root, that can read anything anywhere.

Retrieved from "http://xoops.org/modules/mediawiki/index.php/Paranoid_Permissions"

This page has been accessed 1,793 times. This page was last modified 06:09, 20 November 2007. Content is available under XOOPS Web Application System.