urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add some documentation about how to safely allow multiple committers to an 

ikiwiki git repository
master
Joey Hess 2007-11-27 12:41:18 -05:00
parent d75e4ee12c
commit cb777df041
2 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
doc/rcs/git.mdwn
View File

@ -28,3 +28,22 @@ the bare repository, using either the `git` transport (if available), or
`ssh`.
The ikiwiki `post-commit` hook should be put in the bare repository.
## git repository with multiple committers
It can be tricky to get the permissions right to allow multiple people to
commit to an ikiwiki git repository. As the [[security]] page mentions,
for a secure ikiwiki installation, only one person should be able to write
to ikiwiki's srcdir. When other committers make commits, their commits
should go to the bare repository, which has a `post-update` hook that uses
ikiwiki to pull the changes to the srcdir.
One setup that will work is to put all committers in a group (say,
ikiwiki), and use permissions to allow that group to commit to the bare git
repository. Make both the post-update hook and ikiwiki.cgi be setgid
to the group, as well as suid to the user who admins the wiki. The
`wrappergroup` [[setup_file_option|usage]] can be used to make the wrappers
be setgid to the right group. Then the srcdir, including its git
repository, should only be writable by the wiki's admin, and *not* by the
group. Take care that ikiwiki uses a umask that does not cause files in
the srcdir to become group writable. (umask 022 will work.)

8
doc/security.mdwn
View File

@ -49,11 +49,11 @@ this.
## multiple accessors of wiki directory
If multiple people can write to the source directory ikiwiki is using, or
to the destination directory it writes files to, then one can cause trouble
for the other when they run ikiwiki through symlink attacks.
If multiple people can directly write to the source directory ikiwiki is
using, or to the destination directory it writes files to, then one can
cause trouble for the other when they run ikiwiki through symlink attacks.
So it's best if only one person can ever write to those directories.
So it's best if only one person can ever directly write to those directories.
## setup files