DokuWiki

It's better when it's simple

User Tools

Site Tools


security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
security [2014-02-27 02:11]
Klap-in
security [2019-03-18 13:20] (current)
kondurake Protect /vendor/ directory
Line 1: Line 1:
- +====== Security ​ ======
-====== Security ======+
  
 DokuWiki is a web application and is often used on public servers, reachable from the Internet. This means it is at a greater risk to be attacked by malicious people than, for example, a local application on your desktop system. DokuWiki is a web application and is often used on public servers, reachable from the Internet. This means it is at a greater risk to be attacked by malicious people than, for example, a local application on your desktop system.
  
-DokuWiki is developed with security in mind. We try to find a balance between user friendliness and securitybut favor security when no satisfying compromise can be found.+DokuWiki is developed with security in mind. We try to find a balance between user-friendliness and security but favor security when no satisfying compromise can be found.
  
 This page should give you an overview on what aspects you should have an eye on to make sure your DokuWiki is secure. This page should give you an overview on what aspects you should have an eye on to make sure your DokuWiki is secure.
Line 34: Line 33:
   * ''​data''​   * ''​data''​
   * ''​conf''​   * ''​conf''​
-  * ''​bin''​+  * <del>''​bin''​</​del>​
   * ''​inc''​ (isn't dangerous when accessible, though)   * ''​inc''​ (isn't dangerous when accessible, though)
 +  * ''​vendor''​ (leaks info about your environment)
  
 To check if you need to adjust the access permissions try to access ''​%%http://​yourserver.com/​data/​pages/​wiki/​dokuwiki.txt%%''​. You should not get access to that file this way. To check if you need to adjust the access permissions try to access ''​%%http://​yourserver.com/​data/​pages/​wiki/​dokuwiki.txt%%''​. You should not get access to that file this way.
 +
 +(More about permissions - [[install:​permissions|install:​permissions]] - but it does not deal with the lack of detailed information about Dokuwiki'​s directory permissions. I mean about a short form of presentation,​ e.g. "Above five directories -// /data, /conf, <​del>/​bin</​del>,​ /inc, /vendor //- need to have 0700 permissions"​ etc.)
  
 If your directories are not properly secured, read the following subsections on how to do that. If your directories are not properly secured, read the following subsections on how to do that.
  
-==== Deny Directory Access in Apache ====+EDIT (2017-08-28):​ If you give 0700 permissions to bin directory, you don't have access to the page edit toolbar... 
 + 
 +EDIT (2017-09-26):​ There are a mistake between data privileges in this page and data privileges in [[install:​permissions]]. A directory cannot be writable and not writable by the web user at the same time. Please admin team, fix this and remove this comment 
 + 
 +EDIT (2018-05-01):​ Check that you cleared browser cache after setting all up. Security warning can be cached, so you'll probably wasting your time trying to make things work. 
 +==== Deny Directory Access in Apache ==== 
  
 The simplest way is to enable ''​.htaccess''​ support in your Apache configuration. Please see the [[http://​httpd.apache.org/​docs/​2.2/​howto/​htaccess.html|Apache .htaccess Tutorial]]. The simplest way is to enable ''​.htaccess''​ support in your Apache configuration. Please see the [[http://​httpd.apache.org/​docs/​2.2/​howto/​htaccess.html|Apache .htaccess Tutorial]].
  
-DokuWiki already comes with correctly configured .htaccess files. The contents of a .htaccess file to block all access to the directory it is in should be as follows:+DokuWiki already comes with correctly configured .htaccess files. The contents of a .htaccess file to block all access to the directory it is in should be as follows ​(valid for both Apache 2.2 and 2.4):
  
 <​code>​ <​code>​
-order allow,deny +<​IfModule !mod_authz_core.c>​ 
-deny from all+  ​Order ​deny,allow 
 +  Deny from all 
 +</​IfModule>​ 
 +<​IfModule mod_authz_core.c>​ 
 +  Require all denied 
 +</​IfModule>​
 </​code>​ </​code>​
  
Line 56: Line 68:
 It seems that Apache2 in general, or it might be specifically to Ubuntu, is configured slightly differently than Apache1.x. It seems that Apache2 in general, or it might be specifically to Ubuntu, is configured slightly differently than Apache1.x.
  
-In the ///​etc/​apache2/​sites-available//​ you need to modify the file //default// (or the file //​default-ssl//​ if you use https rather than http)+In the ///​etc/​apache2/​sites-available// ​(or you need to modify the file //default//, e.g. //​000-default.conf//​) ​(or the file //​default-ssl//​ if you use https rather than http)
  
 There you'll find: There you'll find:
Line 77: Line 89:
         </​Directory>​         </​Directory>​
 </​code>​ </​code>​
-Default for AllowOverride in the <​nowiki><​Directory /​var/​www/></​nowiki>​ is **none**, should be **all**+Default for AllowOverride in the <​nowiki><​Directory /​var/​www/></​nowiki>​ is (double) ​**none**, should be (double) ​**all**
  
 ///​etc/​init.d/​apache2 reload// to refresh your apache configuration and your .htaccess files should now work. ///​etc/​init.d/​apache2 reload// to refresh your apache configuration and your .htaccess files should now work.
 +
 +:​!:///​etc/​init.d/​apache2 reload// may not work. You can try ''​sudo service apache2 restart''​ instead.
  
 (See http://​ubuntuforums.org/​showthread.php?​t=47669 for the full thread) (See http://​ubuntuforums.org/​showthread.php?​t=47669 for the full thread)
  
 [you can make this change also for the particular directory containing your DokuWiki installation,​ ie. ''/​var/​www/​path-to-dokuwiki''​ instead of changing that globally] [you can make this change also for the particular directory containing your DokuWiki installation,​ ie. ''/​var/​www/​path-to-dokuwiki''​ instead of changing that globally]
- 
  
 ---- ----
Line 90: Line 103:
 The other way is to use ''​LocationMatch''​ directive inside ''​VirtualHost''​ definition - it's a little bit more efficient than ''​.htaccess''​. Just below ''​Directory''​ directive add: The other way is to use ''​LocationMatch''​ directive inside ''​VirtualHost''​ definition - it's a little bit more efficient than ''​.htaccess''​. Just below ''​Directory''​ directive add:
 <​code>​ <​code>​
-<​LocationMatch "/​(data|conf|bin|inc)/">​+<​LocationMatch "/​(data|conf|bin|inc|vendor)/">​
     Order allow,deny     Order allow,deny
     Deny from all     Deny from all
Line 97: Line 110:
 </​code>​ </​code>​
  
-//However see the "What to use When" section here [[http://​httpd.apache.org/​docs/​2.0/​sections.html#​file-and-web]] for a statement that "​Location"​ directives should not be used for protecting filesystem objects, only virtual (e.g. database-generated) paths. IMO if .htaccess isn't available or sufficient, then putting directory-specific restrictions directly in the hosts conf file would be the safest approach. This [[http://​ada.adrianlang.de/​dokuwiki-php-execution#​solutions_in_the_configuration]] seems a solid approach - but this document should be "​canonical"​.//​+//However see the "What to use When" section here [[http://​httpd.apache.org/​docs/​2.4/​sections.html#​file-and-web]] for a statement that "​Location"​ directives should not be used for protecting filesystem objects, only virtual (e.g. database-generated) paths. IMO if .htaccess isn't available or sufficient, then putting directory-specific restrictions directly in the hosts conf file would be the safest approach. This [[http://​ada.adrianlang.de/​dokuwiki-php-execution#​solutions_in_the_configuration]] seems a solid approach - but this document should be "​canonical"​.//​
  
 ---- ----
  
-The above could cause a problem if you have another "​root"​ that includes the directorys ​data|conf|bin|inc. For example another wiki installation.+The above could cause a problem if you have another "​root"​ that includes the directories ​data|conf|bin|inc|vendor. For example another wiki installation.
 You can avoid this problem by extending your LocationMatch within your wiki installation folder. You can avoid this problem by extending your LocationMatch within your wiki installation folder.
 <​code>​ <​code>​
Line 109: Line 122:
         </​Directory>​         </​Directory>​
  
-        <​LocationMatch "^/dokuwiki/​(data|conf|bin|inc)/">​+        <​LocationMatch "/​(data|conf|bin|inc|vendor)/">​
             order allow,deny             order allow,deny
             deny from all             deny from all
Line 119: Line 132:
 Access to the mentioned directories can be disabled in IIS' configuration settings. Access to the mentioned directories can be disabled in IIS' configuration settings.
  
-  - Open the configuration tool: Start -> Settings -> Control Panel -> Administrative Tools -> Internet Information Services +=== In IIS 8+ ===
-  - Navigate to the directory you want to protect: Local Computer -> Web Sites -> Default Web Site → //path to directory//​ +
-  - Right-Click the folder and chose Properties -> Directory Security -> IP address and domain name restrictions -> Edit... +
-  - Choose "By default, all computers will be: Denied access"​+
  
 +(Windows 8(.1) and Servers 2012 and 2012R2):
  
-In IIS7:+  - select "IIS Request Filtering"​ 
 +  - go to the "​URL"​ tab 
 +  - click on "Deny Sequence..."​ 
 +  - enter "/​data/"​ in the popup box and click "​OK"​ 
 +  - Repeat the "Deny Sequence..."​ instruction for the /conf/ /bin/ /inc/ and /vendor/ directories 
 + 
 + 
 +=== In IIS 7 ===
  
   - select "IIS Request Filtering"​   - select "IIS Request Filtering"​
Line 132: Line 150:
   - enter "/​data/"​ in the popup box   - enter "/​data/"​ in the popup box
  
- ​Repeat for "/​data/​media"​ and choose "​Always Allow" (otherwise your images and other won't be visible). In IIS 7.5 do not add the quotes. It should read /data/media in the URL.  +Note: By default, the Management Console snap-in for Internet Information Services 7 does not have UI access to "IIS Request Filtering"​ section. However, can be enabled by installing "IIS Administration pack 1.0" by using the [[http://​www.microsoft.com/​web/​downloads/​platform.aspx|Web Platform Installer]].
- +
- Note: By default, the Management Console snap-in for Internet Information Services 7 does not have UI access to "IIS Request Filtering"​ section. However, can be enabled by installing "IIS Administration pack 1.0" by using the [[http://​www.microsoft.com/​web/​downloads/​platform.aspx|Web Platform Installer]].+
  
 Also note: Ensure you enter "/​data/"​ and NOT just "/​data",​ otherwise pages that start with "​data"​ will be inaccessible. Also note: Ensure you enter "/​data/"​ and NOT just "/​data",​ otherwise pages that start with "​data"​ will be inaccessible.
  
-**Alternative** +=== Alternatives for IIS 7+ === 
 + 
 +If you can't access IIS configuration options (as in shared hosting sites), you can use one of the following methods 
 + 
 +//Alternative ​1:// 
 + 
 +You can place the following file in your dokuwiki root: 
 + 
 +<file xml web.config>​ 
 + 
 +<?xml version="​1.0"​ encoding="​UTF-8"?>​ 
 +<​configuration>​ 
 +    <​system.webServer>​ 
 +        <​security>​ 
 +            <​requestFiltering>​ 
 +                <​filteringRules>​ 
 +                </​filteringRules>​ 
 +                <​denyUrlSequences>​ 
 +                    <add sequence="/​data/"​ /> 
 +                    <add sequence="/​conf/"​ /> 
 +                    <add sequence="/​bin/"​ /> 
 +                    <add sequence="/​inc/"​ /> 
 +                    <add sequence="/​vendor/"​ /> 
 +                </​denyUrlSequences>​ 
 +            </​requestFiltering>​ 
 +        </​security>​ 
 +    </​system.webServer>​ 
 +</​configuration>​ 
 + 
 +</​file>​ 
 + 
 +//​Alternative 2://
  
-If you can't access IIS configuration options (as in shared hosting sites), you can put the following web.config file in the directories you have to protect.+You can put the following web.config file in the directories you have to protect.
  
   * ''​data''​   * ''​data''​
Line 146: Line 193:
   * ''​bin''​   * ''​bin''​
   * ''​inc''​ (isn't dangerous when accessible, though)   * ''​inc''​ (isn't dangerous when accessible, though)
 +  * ''​vendor''​
  
 <file xml web.config>​ <file xml web.config>​
Line 158: Line 206:
  
 </​file>​ </​file>​
 +
 +=== IIS 6.5 and below ===
 +
 +  - Open the configuration tool: Start -> Settings -> Control Panel -> Administrative Tools -> Internet Information Services
 +  - Navigate to the directory you want to protect: Local Computer -> Web Sites -> Default Web Site → //path to directory//
 +  - Right-Click the folder and chose Properties -> Directory Security -> IP address and domain name restrictions -> Edit...
 +  - Choose "By default, all computers will be: Denied access"​
 +  - Repeat this for /data/ /conf/ /bin/ /inc/ and /vendor/ directories
  
 ==== Deny Directory Access in Lighttpd ==== ==== Deny Directory Access in Lighttpd ====
  
-Using a [[http://​redmine.lighttpd.net/​wiki/​lighttpd/​Docs:​ModRewrite|URL re-write]] you can deny access to the above directories. In your lighttpd.conf file adding the following URL rewrite rule should be sufficient to keep people out. It suppose your Dokuwiki files are installed under http://​yourwebsite.tld/​dokuwiki/​. Don't forget to uncomment ''//"​mod_rewrite"//''​ in the ''//​server.modules//''​ section.+Using a [[http://​redmine.lighttpd.net/​wiki/​lighttpd/​Docs:​ModRewrite|URL re-write]] you can deny access to the above directories. In your lighttpd.conf file adding the following URL rewrite rule should be sufficient to keep people out((Unfortunately it does not not when people are using [[https://​vivaldi.com/​|Vivaldi]] and probably other chromium based browsers. When combined with "​mod_access"​ it does keep people out.)) ​. It suppose your Dokuwiki files are installed under http://​yourwebsite.tld/​dokuwiki/​. Don't forget to uncomment ''//"​mod_rewrite"//''​ in the ''//​server.modules//''​ section.
 <​code>​ <​code>​
-url.rewrite-once = ( "​^/​dokuwiki/​(data|conf|bin|inc)/​+.*"​ => "/​nonexistentfolder"​ )+url.rewrite-once = ( "​^/​dokuwiki/​(data|conf|bin|inc|vendor)/+.*" => "/​nonexistentfolder"​ )
 </​code>​ </​code>​
  
 Or use ''//"​mod_access"//''​. More examples available [[http://​redmine.lighttpd.net/​wiki/​lighttpd/​Docs:​ModAccess|here]]. Or use ''//"​mod_access"//''​. More examples available [[http://​redmine.lighttpd.net/​wiki/​lighttpd/​Docs:​ModAccess|here]].
 <​code>​ <​code>​
-$HTTP["​url"​] =~ "​^/​dokuwiki/​(data|conf|bin|inc)/​+.*"​ {+$HTTP["​url"​] =~ "​^/​dokuwiki/​(data|conf|bin|inc|vendor)/+.*" {
     url.access-deny = (""​)     url.access-deny = (""​)
 } }
 </​code>​ </​code>​
 +
 ==== Deny Directory Access in Nginx ==== ==== Deny Directory Access in Nginx ====
  
 Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file.
 In your nginx.conf file add the following location to prevent access to secure directories. ​ In your nginx.conf file add the following location to prevent access to secure directories. ​
 +
 +//This instruction is slightly misleading. What you should actually edit is the /​etc/​nginx/​sites-available/​default file. Remember to first create a backup by issuing cp /​etc/​nginx/​sites-available/​default /​etc/​nginx/​sites-available/​default.bak//​
 +//Or in the virtualhost where you are hosting dokuwiki//
  
 <​code>​ <​code>​
-    location ~ /​(data|conf|bin|inc)/​ {+    location ~ /​(data|conf|bin|inc|vendor)/ {
       deny all;       deny all;
     }     }
 </​code>​ </​code>​
  
-Also disabling access to .htaccess files is recommended:+Note: if you are using [[config:​xsendfile|xsendfile]],​ the above rules will break sendfile functionalityConsider the following:
  
 <​code>​ <​code>​
-    location ~ /\.ht +    location ~ /(conf|bin|inc|vendor)/ ​
-      deny  all;+        deny all
 +    } 
 +     
 +    location ~ /data/ { 
 +        internal;
     }     }
 </​code>​ </​code>​
  
-(comment: nginx does not use htaccess files, so the above directive is meaningless) 
 ==== Deny Directory Access in Cherokee ==== ==== Deny Directory Access in Cherokee ====
  
 It is relatively easy to forbid access to those directories using Cherokee. In cherokee-admin,​ select the virtual server where dokuwiki is installed and select rules management. It is relatively easy to forbid access to those directories using Cherokee. In cherokee-admin,​ select the virtual server where dokuwiki is installed and select rules management.
  
-then add a new "​Regular Expression"​ rule and put the following in it :+then add a new "​Regular Expression"​ rule and put the following in it (supposing that dokuwiki sits on the root directory):
 <​code>​ <​code>​
-   /​(data|conf|bin|inc)/​+   /​(data|conf|bin|inc|vendor)/
 </​code>​ </​code>​
 +Remember to set it as "NON FINAL",​ because if not, some code under those directories may still being executed under certain circumstances ("​Extensions php" rule as "NON FINAL" present, for example).
  
 Then go in "​Handler"​ section and select HTTP Error. Finally select "403 Forbidden"​ in HTTP Error. Then go in "​Handler"​ section and select HTTP Error. Finally select "403 Forbidden"​ in HTTP Error.
  
 +==== Deny Directory Access in Caddy ====
 +Here is an example Caddyfile for a wiki served with [[https://​caddyserver.com|Caddy]]:​
 +<​code>​
 +wiki.example.com {
 +        log /​var/​log/​caddy/​dokuwiki.log
 +        root /​var/​www/​dokuwiki/​
 +        # Assuming install/​config of php-fpm ​
 +        # to listen on localhost:​9000
 +        fastcgi / 127.0.0.1:​9000 php
 +        # This block below sends an HTTP 401 message when
 +        # a client attempts to access the secured directories. ​
 + status 401 {
 + /data
 + /conf
 + /bin
 + /inc
 + /vendor
 + }
 +}
 +</​code>​
  
  
Line 252: Line 336:
 ===== DokuWiki Configuration Settings ===== ===== DokuWiki Configuration Settings =====
  
-DokuWiki contains several configuration settings that have an impact on various security ​aspect ​of the installation. Please refer to the documentation of each setting to learn what they do and what suggested settings are.+DokuWiki contains several configuration settings that have an impact on various security ​aspects ​of the installation. Please refer to the documentation of each setting to learn what they do and what suggested settings are.
  
   * [[config:​allowdebug]] -- disabling debugging output to avoid system information leakage :!:   * [[config:​allowdebug]] -- disabling debugging output to avoid system information leakage :!:
Line 267: Line 351:
   * [[config:​safemodehack]] -- work around safe mode restrictions   * [[config:​safemodehack]] -- work around safe mode restrictions
   * [[config:​disableactions]] -- disable certain actions, e.g. registration or view source   * [[config:​disableactions]] -- disable certain actions, e.g. registration or view source
 +  * [[config:​baseurl]] -- set a fixed server name the wiki should use to avoid server name spoofing attacks
  
 ===== Plugin Security ===== ===== Plugin Security =====
Line 295: Line 380:
   * {{http://​www.apachesecurity.net/​download/​apachesecurity-ch03.pdf|Apache Security - Chapter 3: Locking down PHP}}.((No longer there; please try [[https://​www.feistyduck.com/​books/​apache-security/​]]))   * {{http://​www.apachesecurity.net/​download/​apachesecurity-ch03.pdf|Apache Security - Chapter 3: Locking down PHP}}.((No longer there; please try [[https://​www.feistyduck.com/​books/​apache-security/​]]))
   * [[http://​www.bouthors.fr/​wiki/​doku.php?​id=en:​linux:​dokuwiki:​secu|How to completely hide unauthorized pages]]   * [[http://​www.bouthors.fr/​wiki/​doku.php?​id=en:​linux:​dokuwiki:​secu|How to completely hide unauthorized pages]]
- 
-===== Additional Security Tools ===== 
- 
-I've configure DokuWiki with ZBBlock: http://​www.spambotsecurity.com/​zbblock_download.php ​ 
-Works great. Stops a lot of nasty attacks... 
- 
security.1393463463.txt.gz · Last modified: 2014-02-27 02:11 by Klap-in