Instiki
Security

Home Page | All Pages | Recently Revised | Authors | Feeds | Export |

Table of Contents

Instiki

Edit this sidebar

Running as an Unprivileged User

If you have superuser access on the box on which you are running Instiki, you can have a more secure setup by running Instiki under a new, unprivileged UID.

  1. Create a new, unprivileged, user, instiki, with no shell access.
  2. Allow this new user access only to those files that are absolutely necessary:
% sudo chown instiki public secret db db/production.db.sqlite3
% sudo chown -R instiki log storage cache
  1. Run Instiki as this new user, instead of as yourself:
% sudo -u instiki ./instiki --daemon
  1. In this configuration, you can stop Instiki with:
% sudo -u instiki kill pid-of-Instiki

File Uploads

Instiki provides a mechanism for uploading files to your Wiki. This means, in principle, that miscreants could use your Instiki Wiki as a dropbox for sharing files on the internet.

To mitigate the threat, there is a default limit, of 100 KB, on the size of uploaded files. You can change this limit or — better, yet — disable file uploads on publicly accessible Webs in the Edit Web configuration page.

Revised on September 1, 2008 15:50:35 by Jacques Distler (70.116.17.8)
Edit | Back in time (6 revisions) | See changes | Views: Print | TeX | Linked from: HomePage, contents, Installation, TODO, Jacques Distler, Sandbox, Upgrading, Users, News, Installing on Shared Hosts, AnonymousCoward, S5, SVG, File Uploads, Housekeeping, Proxying, Bazaar, Categories, Syntax, Acknowledgements, Security, Migrating to MySQL, Edit Web, Launch at Startup, Browsers, Mongrel