I just did a TWiki installation for the first time, and it was
not as nice as it could be. While some Apache instructions were
included, they had minor errors ("/twiki/" was aliased, but not
"/twiki" (note trailing slash)). And many other operations either
had no detailed instructions (implementing the security of
the /twiki/data and /twiki/templates is not explained in detail)
or aren't obvious at all since they require TWiki admin experience ("Copy the TWikiRegistrationPub? topic to TWikiRegistration"?)
When I was done, I noticed a security problem, in that there were
default accounts in the twiki/data/.htpasswd file. I wonder how
many public installations have these accounts still there, or
have made an error protecting their /twiki/data or /twiki/templates directories?
And the install wasn't clean, i.e. there were OfficeLocations, there were users.
[deleted old Mozilla problem] -- RD
Finally, operations like creating a new web look like they could
be scripted (perhaps initially in perl) instead of requiring several error-prone admin actions.
While I'm sure I could figure all of this out, it would probably
be a good idea if it was updated to the point where a fairly
inexperienced person could install TWiki.
-- GregLindahl - 28 Apr 2001
see TWikiUnixInstaller - MichaelSparks is working on something that should address this issue. -- SvenDowideit - 29 Apr 2001
TWikiUnixInstaller sounds like it'll help out with some of the ease-of-admin issues. But security can't be an add-on, it needs to be in the main effort. It doesn't sound like he's going to succeed in cleaning the .htpasswd which is distributed with all TWiki downloads as a result of TWikiUnixInstaller... Should I enter separate bugs for the security issues? -- GregLindahl - 29 Apr 2001
The installation documentation has been updated to "remove the existing accounts" in .htpasswd. -- PeterThoeny - 17 Feb 2002 I think the solution here is to provide a cleaner distribution, built automatically from a working installation perhaps - e.g. the build script would generate a zero-length .htpasswd. Alternatively, TWikiUnixInstaller could do this, but it's best if the actual distribution doesn't have unnecessary users, to avoid security back doors. -- RichardDonkin - 28 Feb 2002 Actually, I found the default accounts useful, as examples of how accounts should be set up. After setting up your own, of course, you should take away the others (unless you want these guys to be users, of course:-). -- HendrikBoom - 06 Mar 2002
see TWikiUnixInstaller - MichaelSparks is working on something that should address this issue. -- SvenDowideit - 29 Apr 2001
TWikiUnixInstaller sounds like it'll help out with some of the ease-of-admin issues. But security can't be an add-on, it needs to be in the main effort. It doesn't sound like he's going to succeed in cleaning the .htpasswd which is distributed with all TWiki downloads as a result of TWikiUnixInstaller... Should I enter separate bugs for the security issues? -- GregLindahl - 29 Apr 2001
The installation documentation has been updated to "remove the existing accounts" in .htpasswd. -- PeterThoeny - 17 Feb 2002 I think the solution here is to provide a cleaner distribution, built automatically from a working installation perhaps - e.g. the build script would generate a zero-length .htpasswd. Alternatively, TWikiUnixInstaller could do this, but it's best if the actual distribution doesn't have unnecessary users, to avoid security back doors. -- RichardDonkin - 28 Feb 2002 Actually, I found the default accounts useful, as examples of how accounts should be set up. After setting up your own, of course, you should take away the others (unless you want these guys to be users, of course:-). -- HendrikBoom - 06 Mar 2002
Topic revision: r11 - 2003-07-29 - RichardDonkin
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.