If you have superuser access on the box on which you are running Instiki, you can have a more secure setup by running Instiki under a new, unprivileged UID.
Create a fresh, unprivileged, user,
instiki, with no shell access.
Allow this new user access only to those files that are absolutely necessary:
% sudo chown instiki public secret db db/production.db.sqlite3 config/environment.rb config/database.yml % sudo chown -R instiki log storage cache webs tmp
Run Instiki as this new user, instead of as yourself:
% sudo -u instiki ./instiki --daemon
In this configuration, you can stop Instiki with:
% sudo -u instiki kill pid-of-Instiki
Instiki provides a mechanism for uploading files to your Wiki. This means, in principle, that miscreants could use your Instiki Wiki as a dropbox for sharing files on the internet.
To mitigate the threat, there is a default limit, of 100 KB, on the size of uploaded files. You can change this limit or — better, yet — disable file uploads on publicly accessible Webs in the Edit Web configuration page.