Topic: Testing MediaWiki 1.15.1 on SME 8.0Beta4

[cool34000]

Hi all,

Here's another howto for SME8 only...

Code: [Select]

## DEPENDENCIES
yum install ImageMagick audit-libs-python chkfontpath gd ghostscript ghostscript-fonts lcms libFS libXfont libXpm libXt libcroco libfontenc librsvg2 libselinux-python libselinux-utils libsemanage libwmf php-pgsql pkgconfig policycoreutils ttmkfdir urw-fonts xorg-x11-font-utils  xorg-x11-xfs desktop-file-utils psutils tetex tetex-dvips tetex-fonts tetex-latex --enablerepo=* -y

## INSTALL
cd /opt
wget http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.1.tar.gz
tar -xzf mediawiki-1.15.1.tar.gz
mv /opt/mediawiki-1.15.1 /opt/mediawiki
rm -f /opt/mediawiki-1.15.1.tar.gz

## FIX SECURITY
chown -R root:root /opt/mediawiki/
chown    root:www  /opt/mediawiki/images
chmod 777 /opt/mediawiki/config
chmod 775 /opt/mediawiki/images

## APACHE CONFIG
cat > /etc/e-smith/templates/etc/httpd/conf/httpd.conf/98mediawiki << EOF

# MediaWiki
Alias /mediawiki /opt/mediawiki
#Alias /wiki /opt/mediawiki/index.php

<Directory /opt/mediawiki>
  AddType application/x-httpd-php .php .php3 .phtml
  Options FollowSymLinks
  order deny,allow
  deny from all
  allow from all
  php_admin_value open_basedir /opt/mediawiki/:/tmp:/usr/bin/
</Directory>

<Directory /opt/mediawiki/includes>
  order deny,allow
  deny from all
</Directory>

<Directory /opt/mediawiki/languages>
  order deny,allow
  deny from all
</Directory>

<Directory /opt/mediawiki/maintenance>
  order deny,allow
  deny from all
</Directory>

<Directory /opt/mediawiki/maintenance/archives>
  order deny,allow
  deny from all
</Directory>

<Directory /opt/mediawiki/math>
  order deny,allow
  deny from all
</Directory>

<Directory /opt/mediawiki/serialized>
  order deny,allow
  deny from all
</Directory>

<Directory /opt/mediawiki/t>
  order deny,allow
  deny from all
</Directory>

<Directory /opt/mediawiki/tests>
  order deny,allow
  deny from all
</Directory>

EOF

## APPLY CHANGES
expand-template /etc/httpd/conf/httpd.conf
/etc/rc7.d/S86httpd-e-smith sigusr1

## SETUP WEB APP
http://yourdomain.com/mediawiki/config
You will need MySQL's ROOT password (for SuperUser config), to retrieve it:
cat /root/.my.cnf

## FINISH SETUP
mv /opt/mediawiki/config/LocalSettings.php /opt/mediawiki/
chown root:root /opt/mediawiki/LocalSettings.php
chmod 644 /opt/mediawiki/LocalSettings.php
chmod 770 /opt/mediawiki/config
sed -i 's/wgEnableUploads       = false/wgEnableUploads       = true/g' /opt/mediawiki/LocalSettings.php
sed -i 's/wgUseTeX           = false/wgUseTeX           = true/g' /opt/mediawiki/LocalSettings.php
sed -i 's/# $wgShellLocale = "en_US.UTF-8"/\$wgShellLocale = "fr_FR.UTF-8"/g' /opt/mediawiki/LocalSettings.php

Enjoy!

[cactus]

Please do not post questions or remarks concerning SME Server 8 (beta or any state) into the 7.x forums. Moving to General Discussion where it is more appropriate.

Thanks in advance.

[CharlieBrady]

## FIX SECURITY
chown -R root:root /opt/mediawiki/
chown    root:www  /opt/mediawiki/images
chmod 777 /opt/mediawiki/config

Here you have broken security, not 'fixed' it. Anyone who can write files on your server can now change the configuration of your mediawiki instance. Permissions of 777 are always wrong, and always insecure.

[cool34000]

Hi,

Yes, chmod 777 is used only for config purpose, look at the end of the script after the web setup is done...

[CharlieBrady]

Yes, chmod 777 is used only for config purpose, look at the end of the script after the web setup is done...

Too late to be secure.

[cool34000]

Too late to be secure.

The config folder needs to be set to 777 during the web install.
After the web install is done, the script set 770 so that the installer can't be runned again.

If you find a hack in MediaWiki installer, please open a bug on their bugtracker.

[CharlieBrady]

The config folder needs to be set to 777 during the web install.

No it doesn't. The folder only needs to be writable via the web app, so only needs www group write permission.

[CharlieBrady]

The folder only needs to be writable via the web app, so only needs www group write permission.

And even better from that is to template the config files, and skip the web install step.

[cool34000]

root:www with 770 do not allow to launch MediaWiki's web setup... Try it if you don't believe me!

[electroman00]

cool34000

Certainly hope you and nobody else is using your template.

php_admin_value open_basedir /opt/mediawiki/:/tmp:/usr/bin/

Not sure where you found that template, but due to the vulnerability it imposes on the server, you and nobody else should use it.

mediawiki users will have access to /usr/bin/.

ls /usr/bin

Will give you a rough idea as to what a hacker could......

It would be a real good idea to edit your post and remove :/usr/bin/ so nobody will ever unknowingly use that.

/tmp shouldn't be there either, however thats a whole different issue, another vulnerability, however not nearly as sever.

You should also check your http.conf for any app that uses open_basedir and points to /usr/bin/, no web app should be allowed to access that tree.

As far as MW config, if your doing a manual install then yes you need to set 777 and be sure you 770 when config completes.

chmod a+w /opt/mediawiki to enable config access

chmod a-w /opt/mediawiki to disable config access

and / or simply rename config to something else ie. config.545

Looks like there's a need for a bash script to sed /usr/bin.....check/remove from templates.

And that template you used appears to be very old as well.

Also you don't need to yum all those dependencies, mediawiki will work on a clean sme install.

I know I haven't yum'd anything as of this point.

BTW I have a bash script that manually installs MW1.15.1 on 8 and can be used to install most any app. depending on some basic prog skills (change appropriate vars).
Not sure if anyone would be interested or where it should be made available.
hth

[cool34000]

Hi,

Looks like you're a very constructive man electronman00!!!
So thanks for your leason!

This is exactly why I've switched to Debian: people in this community are rude, never gives help in any other way that "that's not the way it has to be done" or "you're too bad" or "your script is a piece of sh*t" and most of time people replying didn't even read the script entirely! (else you wouldn't have said that it needs to be set to 770 or a-w after the web install because the script already do that!!!)

I don't mean this script is perfect, and yes it needs to be secured, but after reading your comment I'm as noob as I was before reading it... The only advice I see is to remove access to /tmp and /usr/bin/ but then MW doesn't work anymore... What a great advice!
So why don't you share your killer script that changes appropriate vars based on your basic prog skills?!?
This would be more appropriate, less rude and would really help people: the ones wanting to use MW, and other people like me to improve their knowledge...

[Stefano]

Hi,

Looks like you're a very constructive man electronman00!!!
So thanks for your leason!

hi cool34000

please, don't loose your time with him

So why don't you share your killer script that changes appropriate vars based on your basic prog skills?!?
This would be more appropriate, less rude and would really help people: the ones wanting to use MW, and other people like me to improve their knowledge...

As I said, don't loose your time with him..

About some "pieces" of the community: the main aims of SME are stability and security, so that's why you've been given some advices to improve your scripts.

IIRC you made a lot of work to create howtos.. please, don't stop

ciao

[cool34000]

Thanks for you reply Stefano...

Still, I don't know how to fix these security issues, so if anyone have advices to secure this webapp, please fell free to step in, I'd be very pleased to modify this howto!
Access to /tmp is here to allow upload to the wiki (I don't know any other solutions to do so)...
Can't remember why access to /usr/bin is needed, but there are some binaries that this webapp must have access to. Is there any better solutions for that?

[CharlieBrady]

Still, I don't know how to fix these security issues, so if anyone have advices to secure this webapp, please fell free to step in,

The devinfo mailing list is probably the best place to get advice as to how to write HOWTOs or create contrib packages.

As others have said, don't worry too much about electroman00. Not only is he not as helpful as he might be (we are still waiting for him to add information to bug 139), but not everything he says is correct.

[cool34000]

Hi,

The devinfo mailing list is probably the best place

Not @home right now, I'll give it a try this week end.
Thanks