Tags:
create new tag
, view all tags
I just did a TWiki installation for the first time, and it was not as nice as it could be. While some Apache instructions were included, they had minor errors ("/twiki/" was aliased, but not "/twiki" (note trailing slash)). And many other operations either had no detailed instructions (implementing the security of the /twiki/data and /twiki/templates is not explained in detail) or aren't obvious at all since they require TWiki admin experience ("Copy the TWikiRegistrationPub? topic to TWikiRegistration"?)

When I was done, I noticed a security problem, in that there were default accounts in the twiki/data/.htpasswd file. I wonder how many public installations have these accounts still there, or have made an error protecting their /twiki/data or /twiki/templates directories?

And the install wasn't clean, i.e. there were OfficeLocations, there were users.

[deleted old Mozilla problem] -- RD

Finally, operations like creating a new web look like they could be scripted (perhaps initially in perl) instead of requiring several error-prone admin actions.

While I'm sure I could figure all of this out, it would probably be a good idea if it was updated to the point where a fairly inexperienced person could install TWiki.

-- GregLindahl - 28 Apr 2001

see TWikiUnixInstaller - MichaelSparks is working on something that should address this issue.

-- SvenDowideit - 29 Apr 2001

TWikiUnixInstaller sounds like it'll help out with some of the ease-of-admin issues. But security can't be an add-on, it needs to be in the main effort. It doesn't sound like he's going to succeed in cleaning the .htpasswd which is distributed with all TWiki downloads as a result of TWikiUnixInstaller...

Should I enter separate bugs for the security issues?

-- GregLindahl - 29 Apr 2001

The installation documentation has been updated to "remove the existing accounts" in .htpasswd.

-- PeterThoeny - 17 Feb 2002

I think the solution here is to provide a cleaner distribution, built automatically from a working installation perhaps - e.g. the build script would generate a zero-length .htpasswd. Alternatively, TWikiUnixInstaller could do this, but it's best if the actual distribution doesn't have unnecessary users, to avoid security back doors.

-- RichardDonkin - 28 Feb 2002

Actually, I found the default accounts useful, as examples of how accounts should be set up. After setting up your own, of course, you should take away the others (unless you want these guys to be users, of course:-).

-- HendrikBoom - 06 Mar 2002

Edit | Attach | Watch | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r11 - 2003-07-29 - RichardDonkin
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.