InstallationNotes is only needed if you wanna install SPW with OSLayerSecurity the way I did, i.e. with an spw user and a chroot jail. The code doesn't care if it is installed like that or not.
If you aren't so concerned about security as to want a chroot jail (and I be you don't need to be worried; see SpeculationOnAttacks for why I think that), then you can setup SPW on your machine much quicker as per the instructions in Step #1 of SpwTutorial. All you need in that case is a standard installation of Apache with cgi enabled (it should work with any webserver that has cgi, although I've only tested on Apache so far). .
If you are still interested in how I've setup the stuff on my system with the extra security, read on.
I have set up the program on Debian GNU/Linux.
The program is running off an Apache webserver with Cgiwrap to do the chroot and change users. I used the Makejail debian package to make the chroot jail and to duplicate the necessary system libraries.
I got the source to the Debian cgiwrap package with apt-get source cgiwrap.
Next, I added
:--without-check-owner --without-check-group --with-chroot=/var/www/wiki/spw
to the configure options in the file .../cgiwrap-3.7.1/debian/rules and recompiled using dpkg-buildpackage (be sure to remember to put "\\" at the end of lines in that file!).
Then I installed the generated package (as root).
Next, you need to do something like touch /var/www/spw.pl. This creates a dummy file. This file won't be called, but cgiwrap stupidly checks for the existence of the desired file BEFORE doing its chroot, so a file at the indicated location must exist outside the chroot otherwise cgiwraprefuses to continue.
I wrote the following config file (stored as /etc/makejail/spw.py, which I then invoked with makejail /etc/makejail/spw.py as root. :
maxRemove=1600 chroot="/var/www/wiki/spw" testCommandsInsideJail=["/var/www/spw.pl", "diff /usr/bin/diff /usr/bin/diff"] # Eventually append here the commands which access some services # such as cgi or php scripts, database access, ... testCommandsOutsideJail=["wget http://bayle.stanford.edu/cgi-bin/cgiwrap/spw/spw.pl"] testCommandsOutsideJail=["wget http://bayle.stanford.edu/cgi-bin/cgiwrap/spw/spw.pl?action=edit&id=HomePage"] testCommandsOutsideJail=["wget http://bayle.stanford.edu/cgi-bin/cgiwrap/spw/spw.pl?action=login"] preserve=["/var/www", "/var/log/apache", "/dev/log", "/spw", "/.htaccess"] users=["spw"] groups=["spw"] packages=["perl", "perl-base", "perl-modules"] # the following are comments that came with makejail and are not necessarily relevant to spw # launch makejail # # copy the documents and the logs to the jail # cp -Rp /var/www /var/chroot/apache/var # cp -Rp /var/log/apache/*.log /var/chroot/apache/var/log/apache # # configure syslog to also listen to the socket /var/chroot/apache/dev/log, restart sysklogd # # In the startup script /etc/init.d/apache, just change the paths # of variables used from outside the jail: # APACHECTL="chroot /var/chroot/apache /usr/sbin/apachectl" (remove the line which tests -f $APACHECTL) # PIDFILE=/var/chroot/apache/var/run/$NAME.pid # CONF=/var/chroot/apache/etc/apache/httpd.conf # # handle /proc in the script (mount when it starts, unmount when it stops): # chroot /var/chroot/apache /bin/mount /proc # # apache can fail starting though apachectl doesn't fail, see error.log in the chroot # # tested successfully with apache 1.3.22 on Debian woody # (also with php4, mysql and a search engine) # OpenBSD #processNames=["httpd"] #users=["nobody"] #groups=["nogroup","www"]
Makejail notified me that I should mount the proc filesystem at /proc inside the jail. So I created this startup script at /etc/init.d/spwProcMount (and symlinked it to some rc?.d directories so that it runs at boottime):
#!/bin/sh chroot /var/www/wiki/spw /bin/mount /proc
For the time being, the general apache stuff is beyond the scope of this documentation. But, I will note that you must not allow cgi in any directory that user spw can access to be run directly -- otherwise, someone could use SPW to write malicious code to that directory, and then execute it outside of any safe compartment by just running the CGI directly.
I do this by leaving an .htaccess file in the chroot jail root.
I created a file /etc/cron.d/spw:
SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 22 3,9,13,18 * * * spw /var/www/wiki/spw/home/root/spwcron
and created this file at /var/www/wiki/spw/home/root/spwcron:
wget --spider 'http://purl.net/net/spw/spw.pl?action=maintain'