[Moin-user] How to make pages uneditable? (by anyone)

Mitchell Marks mitchell at cuip.net
Tue Apr 8 05:53:05 EDT 2003 

Thank you for looking into the difficulty we were having here.  I dropped 
your "testid.cgi" into our cgi-bin, and it shows Apache, not root (from 
http://cwd.uchicago.edu/cgi-bin/testid.cgi):
>-----------------
>uid=48(apache) gid=48(apache) groups=48(apache)
>-----------------

How then is the owner being changed?  I think I see: it's not a chown, 
which user "apache" indeed shouldn't be able to do.  But because apache 
owns the directory, with w permissions, it can delete the file [even when 
it does not have w permission on the file itself], then create a new file 
under its own ownership.  As another indication that this is what's 
happening, the inode number was new after the editing step.

As I indicated in another posting, our project is still looking into what 
new approaches to introduce in this summer's program.  If the test group 
"adopts" WikiWiki as a component, I'll look forward to the opportunity to 
more thoroughly "get into" the MoinMoin world, including keeping up with 
the latest CVS versions.  This mailing list seems to be a friendly, open 
forum, which I am happy to have found.

Best regards,

   Mitch Marks


At 05:54 PM 4/4/03, you wrote:
>Hi,
>
> > apache 1.3.27, runs as apache:apache
>
>There is reason to doubt that.
>
>At least the CGI seems to run as root, which is definitely a bad idea.
>
> > We have a very new MoinMoin Wiki (at http://cwd.uchicago.edu/wiki/), and
> > I'm also quite new to handling such a system, so I hope you'll be tolerant
> > of newbie questions.
>
>No problem. You may want to read in the Meatball Wiki to get the spirit.
>
> > I want to lock down some pages so they can't be edited.  It's not 
> mischief,
> > it's accident and misunderstanding. (Members of our test group have signed
> > up at UserPreferences, then immediately press Edit to get started making
> > pages -- and wipe out the UserPreferences form.)
>
>If that is seldom, it is no problem as long as there are some users
>reverting the page to its original state. If you are a logged-in user,
>you have a "revert" action on the version history page of the latest
>moin code (CVS).
>
>So it is very easy to get back the correct version.
>
> > I came across a FAQ where the answer to "How do I make immutable pages?"
> > was "Just set the permissions bits."  That doesn't seem to be working for
> > me.  I remove write permissions, and for that matter change the ownership
> > to either root or some other user; then go to the web and edit it in the
> > Wiki.  The ownership comes back to apache:apache and the write bits are on
>
>Only root can change ownership of a file, so your CGI must be running as
>root. A normal user can't change ownership of a file - even if he is the
>current owner (just imagine changing a suid file from owner badguy to
>root and starting it!).
>
>tw at notebook-tw:~$ ls -l testme
>-rw-r--r--    1 tw       tw              0 Apr  5 00:45 testme
>tw at notebook-tw:~$ chown www-data.www-data testme
>chown: changing ownership of `testme': Operation not permitted
>tw at notebook-tw:~$ su
>Password:
>notebook-tw:/home/tw#  chown www-data.www-data testme
>notebook-tw:/home/tw# ls -l testme
>-rw-r--r--    1 www-data www-data        0 Apr  5 00:45 testme
>notebook-tw:/home/tw# id
>uid=0(root) gid=0(root) groups=0(root),103(lpadmin)
>notebook-tw:/home/tw# exit
>exit
>tw at notebook-tw:~$ ls -l testme
>-rw-r--r--    1 www-data www-data        0 Apr  5 00:45 testme
>tw at notebook-tw:~$ chown tw.tw testme
>chown: changing ownership of `testme': Operation not permitted
>tw at notebook-tw:~$ id
>uid=1000(tw) gid=1000(tw) groups=1000(tw),29(audio),44(video)
>
>
> > >-r--r--r--    1 mitchell mitchell      118 Apr  4 13:09 TestImmutablePage
> > ((here I edited it on the web))
> > >[1:22pm] root at cwd:text 246# ls -l TestImmutablePage
> > >-rw-rw-rw-    1 apache   apache        129 Apr  4 13:23 TestImmutablePage
>
>Very strange! Maybe check with some cgi like that:
>
>#!/bin/sh
>echo -e "Content-type: text/plain\n\n"
>echo "-----------------"
>id
>echo "-----------------"
>
>Just save that as testid.cgi and call it instead of moin.cgi.
>
> >
> > The text directory has this ownership and permissions:
> > >[1:23pm] root at cwd:text 247# ls -ld .
> > >drwxrwxr-x    2 apache   apache       4096 Apr  4 13:23 ./
>
>You could also change that to drwx------ root root and check if the
>moin.cgi still works. If yes, it must be running as root (and that is
>bad).
>
>BTW: if you use su_exec (suexec?) apache module you can set the user/group 
>apache
>calls CGI.
>
> > If I made the directory unwritable, wouldn't that interfere with normal
> > saving of all the other pages?
>
>Yes. Bad idea.
>
> >  Is there another place where pages can be
> > kept, and participate in the WikiName linking, but the directory can be
> > unwritable or belong to someone other than apache?
>
>Not yet. I am working on ACLs (see MoinMoin wiki) but that is stuff for
>version 1.2. But chown/chmod normally really helps.
>
>You can also use a SecurityPolicy, see the MoinMoin wiki for some
>samples. A little bit python coding is necessary in that case.
>
>greetings,
>
>Thomas

More information about the Moin-user mailing list