Showing changes from revision #10 to #11:
Added | Removed | Changed
If you have superuser access on the box on which you are running Instiki, you can have a more secure setup by running Instiki under a new, unprivileged UID.
Create a new, unprivileged, user, instiki, with no shell access.
Allow this new user access only to those files that are absolutely necessary:
% sudo chown instiki . public secret db db/production.db.sqlite3
% sudo chown -R instiki log storage cacheNote that, among the directories that need to be owned by the instiki user, is the Instiki directory itself.
If you’ve already created one or more wikis, you’ll have to change the permissions on their public directories as well
% sudo chown -R instiki public/name_of_wiki/Run Instiki as this new user, instead of as yourself:
% sudo -u instiki ./instiki --daemonIn this configuration, you can stop Instiki with:
% sudo -u instiki kill pid-of-InstikiInstiki provides a mechanism for uploading files to your Wiki. This means, in principle, that miscreants could use your Instiki Wiki as a dropbox for sharing files on the internet.
To mitigate the threat, there is a default limit, of 100 KB, on the size of uploaded files. You can change this limit or — better, yet — disable file uploads on publicly accessible Webs in the Edit Web configuration page.