• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item4593: LocalSite.cfg access rights should be restricted (is currently u+rw g+r o+r, should be go-r)

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal No Action Required   minor 4.2.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

As discussed in Item4587 (SMTP auth password stored in clear text), LocalSite.cfg should be created with more restrictive rights.

As an admin is already perfectly welcome to set his own access rights on LocalSite.cfg I don't think this is Urgent.

I remember we went through some iterations getting file access rights just right in the build script, I hope somebody that remembers the difference between octal settings etc will pick up on this one (I don't).

-- TWiki:Main/SteffenPoulsen - 09 Sep 2007

The general problem with world not being able to read is that people running on a shared host often cannot get things to work without having files world readable. And that goes for all files that Apache needs to read.

-- TWiki:Main.KennethLavrsen - 09 Sep 2007

Apache does not need to read LocalSite.cfg, I believe. I locked down my LocalSite.cfg to test this out, and did not see any problems.

-- TWiki:Main.ThomasWeigert - 09 Sep 2007

No for normal installations this is true.

But for shared hosts - the apache user - and the script user is not always the same and we had quite many reports from people having trouble.

In fact we had a passionate debate about exactly this before it was finally decided to make files world readable.

See Item3280 for the original bug item that changes the access rights

The reason the default access rights are as they are is that quite often people that ftp the tgz to a shared host and has no root access needs global read rights to make it work. Those that have root access and have their own server can close the access to world users and should do so.

The default settings are the result of quite many customer support cases. And noone prevents people from securing the files further if they have root access.

I think we had this discussed enough in the past - so I am setting this to No Action Required.

-- TWiki:Main.KennethLavrsen - 09 Sep 2007

ItemTemplate
Summary LocalSite.cfg access rights should be restricted (is currently u+rw g+r o+r, should be go-r)
ReportedBy TWiki:Main.SteffenPoulsen
Codebase

SVN Range TWiki-4.2.0, Sat, 08 Sep 2007, build 14780
AppliesTo Engine
Component

Priority Normal
CurrentState No Action Required
WaitingFor

Checkins

TargetRelease minor
ReleasedIn 4.2.0
Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2007-09-09 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback