Protecting Your Configuration

TIP Prior versions of this document apply to Foswiki 1.x. As of Foswiki 2.x the configure tool is protected by the Foswiki configuration and special web server configuration is unnecessary. Protecting the bin/configure script using web server directives is insufficient. Much of configure's functions are now performed by the JsonRpcContrib. Foswiki's internal protections apply to both configure and jsonrpc interaction.

Introduction

The configure script and related jsonrpc calls are used for the administrator to setup the Foswiki site. By default, it is limited to the AdminGroup, however it is designed for separation of roles. Unlike prior versions of Foswiki, it is possible to completely eliminate the concept of a shared "admin" password. The design of Configure access controls allows support of three roles:
The System Administrator
Responsible for the Wiki software, extensions, and it's integration into the operating system.
The Wiki Administrator
Responsible for care and feeding of the Wiki.
The Super Administrator
Can perform both roles. This is completely optional!

Note that these controls apply to several Wiki topics including the System.FoswikiServerInformation topic and the System.PerlDependencyReport topic. These both reveal sensitive information about the operating system and execution environment.

System Adminstrator

This is the person or persons with access to the OS, and the responsibility for upgrading software, installing Foswiki extensions, etc. This authority is established by explicitly listing the wikinames of the users in the Configuration key: $Foswiki::cfg{FeatureAccess}{Configure}. It is located in the Security and Authentication tab under Access Control. If this key is configured, then users in the AdminGroup are not granted access to configure.

Wiki Administrator

This role is granted view and change access to all topics in the Wiki. Anyone in the AdminGroup is a Wiki Administrator. They also have access to configure and the related topics mentioned above, unless a System Adminstrator is configured. So setting one or more System Administrators automatically locks out Wiki Administrators from configure.

Super Administrator

This is the special reserved login user "admin" wikiname AdminUser. This ID does require a shared password, but there is no requirement to create this user. When configured, this user has all access to both the Wiki, and the configuration. The super adminstrator is established by setting the $Foswiki::cfg{Password} configuration key, located on the Security ad Authentication tabl under Passwords.

Hints and Suggestions

I didn't create the Super administrator and now I'm locked out.

If you have access to the shell on the system, you can set or change the super admin password any time using the tools/configure utility.
   cd /path/to/foswiki
   tools/configure -save -set {Password}="theDesiredAdminPassword"
Then if FastCGI / FCGID or mod_perl are in use, reload the web server and/or restart the backend FCGI handlers as appropriate to your system. You should now be able to log in with the admin userid.

I don't want my Wiki Administrators to be full time admins

It's relatively easy to set up "on demand" wiki administrators. This is done by explicitly allowing these users to CHANGE the AdminGroup without actually making them members of the AdminGroup:
  • Add users that you want part-time Wiki administrator rights to the AdminGroup permissions. Edit the AdminGroup preference settings, and add the part-time users to the   * Set ALLOWTOPICCHANGE = list of part time admins setting.
  • Instruct the users to add %INCLUDE{"System.AdminToggle"}% to their custom Main.<user>LeftBar topic.
This results in a button allowing the user to join and leave the AdminGroup on demand.

I don't have shell access and I'm locked out

You can still set the Super Administrator password, but you do need to be able to edit files on the server. The admin password is stored as an "Apache MD5" encoded password. It can be created either using the apache htpasswd utility, or on several web sites that offer htpasswd generators. For example:
htpasswd -nb admin asdfasdf
admin:$apr1$KowtKVdP$AU4FO1r.ENG1wEvOdmpIw/
The part needed is all of the characters following the colon (:). Edit the /path/to/foswiki/lib/LocalSite.cfg file, and find the line $Foswiki::cfg{Password} = ... and insert the new password.
$Foswiki::cfg{Password}='$apr1$KowtKVdP$AU4FO1r.ENG1wEvOdmpIw/';
Be sure the line is entered exactly as shown, with the single quote delimiters (') and the trailing semicolon (;)

Save the configuration, reload apache and/or restart the backend fcgi processes, and you should now be able to login with the admin user and the new password.

Topic revision: r11 - 09 Mar 2018, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy