Instiki
Security

Running as an Unprivileged User

If you have superuser access on the box on which you are running Instiki, you can have a more secure setup by running Instiki under a new, unprivileged UID.

  1. Create a fresh, unprivileged, user, instiki, with no shell access.

  2. Allow this new user access only to those files that are absolutely necessary:

    % sudo chown instiki public secret db db/production.db.sqlite3 config/environment.rb config/database.yml
      % sudo chown -R instiki log storage cache webs tmp

  3. Run Instiki as this new user, instead of as yourself:

    % sudo -u instiki ./instiki --daemon

  4. In this configuration, you can stop Instiki with:

    % sudo -u instiki kill pid-of-Instiki

File Uploads

Instiki provides a mechanism for uploading files to your Wiki. This means, in principle, that miscreants could use your Instiki Wiki as a dropbox for sharing files on the internet.

To mitigate the threat, there is a default limit, of 100 KB, on the size of uploaded files. You can change this limit or — better, yet — disable file uploads on publicly accessible Webs in the Edit Web configuration page.