Foswiki on GitHub is open for business! Next release meeting: Monday September 29, 1300Z

Protecting Your Configuration

Introduction

The configure script in the bin directory is used for the administrator to setup the Foswiki site.

This script is

  • More vulnerable than the rest of Foswiki as it has not been subjected to the same degree of safety reviewing and hardening as the rest of Foswiki.
  • Even with view only access it reveals details about your installation an attacker can use in an effort to break in.
  • Protected by a unique password for saving - but this requires that you have defined a password.

Protect against viewing

Protecting the configure script against viewing is done using your webservers basic authentication mechanism.

Both the example foswiki_httpd_conf.txt found in the root of the distribution and the ApacheConfigGenerator contain a section that protects configure by requiring authentication to view the configure script.

In ApacheConfigGenerator you can provide two mechanisms

  • Enter the IP address range or hostnames that will have access to configure - separate with spaces
  • Enter the list of user names that are allowed to view configure
You can provide both and decide whether to authenticate satisfying one or both conditions.

Recommended is to only give access through the use of username and password.

Below is an example where you protect by either IP address (localhost in this example) or authenticated user (in this example we call him "configureuser"):

ALERT! Security advice: While you can use actual Foswiki user names here, consider not to do this. If the name of the administrator account is unknown (remember it doesn't have to be admin either), dictionary attacks against the password (alone) are bound to fail--on the other hand, "normal" user names (especially in public wikis which also display their user directory) are not really a secret.

# Limit access to configure to specific IP addresses or users.
# Make sure configure is not open to the general public.
# It exposes system details that can help attackers.
<FilesMatch "^(configure)$">
    SetHandler cgi-script
    Order Deny,Allow
    Deny from all
    Allow from localhost
    Require user configureuser
    Satisfy Any
</FilesMatch>

If you wanted to limit access to configure to both specific IP addresses and users, change the Satisfy setting above to

    Satisfy All

Below an example of only protecting using authentication (recommended):

# Limit access to configure to specific users.
# Make sure configure is not open to the general public.
# It exposes system details that can help attackers.
<FilesMatch "^(configure)$">
    SetHandler cgi-script
    Order Deny,Allow
    Deny from all
    Require user configureuser
    Satisfy Any
</FilesMatch>

ALERT! If you run configure protected by IP address or no protection at all configure will show a very visible warning messages but it will function normally.

Defining a user and password for accessing configure

The next problem is to setup a user for configure. For this you need a .htpasswd file for Apache.

You can use any .htpasswd file but in the configuration examples and the configuration used by ApacheConfigGenerator we use the same file for configure that we later use for the running Foswiki. This way you have everything at the same place and the configuration becomes simpler.

Some notes of warning

  • ALERT! If you have run an earlier version of TWiki or Foswiki and you are upgrading simply use the .htpasswd file from the old installation and you can use your normal login name in the "Require user nnnn" line in your Foswiki Apache config file.
  • ALERT! An existing .htpasswd file is in a special format where the users email addresses are stored along with the password. If you use the htpasswd program on an existing .htpasswd file all the email addresses will be deleted. So never use the htpasswd program on an existing Foswiki .htpasswd file.
If we assume that this is the first time you install Foswiki there are two ways to get started in a safe way

Temporarily protect configure by IP address

The easiest way to protect configure initially is by IP address and typically using localhost if you are working directly on the webserver and have a desktop with a browser. If you work remote you need to give the IP address of the remote machine from with you open configure in your browser.

Here are the steps.

  • Generate an Apache config file for Foswiki using the ApacheConfigGenerator
    • Choose to protect BOTH with a username and IP address
    • Give either localhost, or the remote machine you work on as IP address
    • Give the login name you will later use for registration on the Foswiki for yourself
TIP Note: You need to use your real IP address as seen by the web server. If you are accessing a remote hosting location, you might be on a translated IP address. Use a site such as http://whatismyipaddress.com/ to discover or verify your real IP address that the remote server will see.This is the IP address that needs to be used in the Apache configuration.

  • Run configure and setup your server (ignore the warning about unsecure access)
  • When saving the configuration the first time, remember to define a new password. This password is different from the one you later use to access Foswiki and view configure. By using a different password we get an extra level of security. This password will be used for a couple of things:
    • It is needed whenever you save the configuration
    • It is used as a special "admin" or "sudo" superuser password for temporary administrator rights on Foswiki.

Establish a Foswiki user and change Apache to use that ID for configure

  • Register on the Foswiki
  • Add yourself to the AdminGroup.(optional)
    • To add yourself to the AdminGroup you need to use the special admin login (use link on the Main.AdminGroup topic). The username is "admin" and the password is the one you defined when you saved first time in configure.
  • Now that you have a username you also have an entry in the .htpasswd file.
    • You can add this user to the Require user [your user] statement in the apache configuration and
    • You can now remove the access by IP address from the Foswiki config file. You remove the lines Allow from localhost, and Satisfy Any from the section that defines the protection for configure (like shown in the above examples).
  • Restart your Apache daemon.
  • Verify that you now need to authenticate with your Foswiki login name and Foswiki password to view configure. And verify that the warning is gone from configure.

Alternative: Create special configure username

An alternative method is to create a special configure user. Again remember the warning from above. Never run the program htpasswd on an existing Foswiki .htpasswd file or it will wipe out all email addresses.

  • Generate an Apache config file for Foswiki using the ApacheConfigGenerator
    • Choose only with a username
    • DO NOT give the login name you will later use for registration on the Foswiki because an existing entry in the .htpasswd file will prevent you from registering with the same login name in Foswiki user registration.
  • Create an initial .htpasswd file with the user - for example "configureuser"
    • Change directory to the data directory of your Foswiki installation, cd /path/to/data
    • Create the .htpasswd file. htpasswd -c .htpasswd configureuser
    • You will be prompted for the password twice
    • Change owner to the apache daemon user. Normally apache or www-data. Requires root so on Ubuntu use: sudo chown apache:apache .htpasswd
    • Change access rights for read/write for Apache only. chmod 660 .htpasswd
TIP If the .htpasswd file already exists, you can carefully edit the file and copy/paste in an admin id generated using: htpasswd -bns configureuser secretpassword

  • Run configure and setup your server (using the configureuser and the password you gave for authentication)
  • When saving the configuration the first time, remember to define a new password. This password is different from the one you later use to access Foswiki and view configure. By using a different password we get an extra level of security.

  • Register on the Foswiki
  • Add yourself to the AdminGroup.
    • To add yourself to the AdminGroup you need to use the special admin login (use link on the Main.AdminGroup topic). The username is "admin" and the password is the one you defined when you saved first time in configure.
  • Now that you have a username you also have an entry in the .htpasswd file.
  • You can keep the special configure user but you may instead want to change to using the same login name that you used to register on Foswiki. Then do these steps.
    • In the Foswiki Apache config file replace the "configureuser" by the login name you used to register on Foswiki.
    • Using an editor and while being root, remove the line for "configureuser" from the .htpasswd file.
    • Restart the Apache daemon
    • Verify that you can access configure with the Foswiki username and password
Topic revision: r10 - 19 Nov 2011, AndrewJones
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License