Editing InstallationNotes

=== NOTE === InstallationNotes is only needed if you wanna install SPW with OSLayerSecurity the way I did, i.e. with an spw user and a chroot jail. The code doesn't care if it is installed like that or not. If you aren't so concerned about security as to want a chroot jail (and I be you don't need to be worried; see SpeculationOnAttacks for why I think that), then you can setup SPW on your machine much quicker as per the instructions in Step #1 of SpwTutorial. All you need in that case is a standard installation of Apache with cgi enabled (it should work with any webserver that has cgi, although I've only tested on Apache so far). . If you are still interested in how I've setup the stuff on my system with the extra security, read on. ---- I have set up the program on Debian GNU/Linux. The program is running off an Apache webserver with Cgiwrap to do the chroot and change users. I used the Makejail debian package to make the chroot jail and to duplicate the necessary system libraries. == Cgiwrap setup notes == I got the source to the Debian cgiwrap package with <code>apt-get source cgiwrap</code>. Next, I added :<code>--without-check-owner --without-check-group --with-chroot=/var/www/wiki/spw</code> to the configure options in the file ...<code>/cgiwrap-3.7.1/debian/rules</code> and recompiled using dpkg-buildpackage (be sure to remember to put "\\" at the end of lines in that file!). Then I installed the generated package (as root). Next, you need to do something like <code>touch /var/www/spw.pl</code>. This creates a dummy file. This file won't be called, but <code>cgiwrap</code> stupidly checks for the existence of the desired file BEFORE doing its chroot, so a file at the indicated location must exist outside the chroot otherwise <code>cgiwrap</code>refuses to continue. == Makejail setup notes == I wrote the following config file (stored as <code>/etc/makejail/spw.py</code>, which I then invoked with <code>makejail /etc/makejail/spw.py</code> as root. : <pre> maxRemove=1600 chroot="/var/www/wiki/spw" testCommandsInsideJail=["/var/www/spw.pl", "diff /usr/bin/diff /usr/bin/diff"] # Eventually append here the commands which access some services # such as cgi or php scripts, database access, ... testCommandsOutsideJail=["wget http://bayle.stanford.edu/cgi-bin/cgiwrap/spw/spw.pl"] testCommandsOutsideJail=["wget http://bayle.stanford.edu/cgi-bin/cgiwrap/spw/spw.pl?action=edit&id=HomePage"] testCommandsOutsideJail=["wget http://bayle.stanford.edu/cgi-bin/cgiwrap/spw/spw.pl?action=login"] preserve=["/var/www", "/var/log/apache", "/dev/log", "/spw", "/.htaccess"] users=["spw"] groups=["spw"] packages=["perl", "perl-base", "perl-modules"] # the following are comments that came with makejail and are not necessarily relevant to spw # launch makejail # # copy the documents and the logs to the jail # cp -Rp /var/www /var/chroot/apache/var # cp -Rp /var/log/apache/*.log /var/chroot/apache/var/log/apache # # configure syslog to also listen to the socket /var/chroot/apache/dev/log, restart sysklogd # # In the startup script /etc/init.d/apache, just change the paths # of variables used from outside the jail: # APACHECTL="chroot /var/chroot/apache /usr/sbin/apachectl" (remove the line which tests -f $APACHECTL) # PIDFILE=/var/chroot/apache/var/run/$NAME.pid # CONF=/var/chroot/apache/etc/apache/httpd.conf # # handle /proc in the script (mount when it starts, unmount when it stops): # chroot /var/chroot/apache /bin/mount /proc # # apache can fail starting though apachectl doesn't fail, see error.log in the chroot # # tested successfully with apache 1.3.22 on Debian woody # (also with php4, mysql and a search engine) # OpenBSD #processNames=["httpd"] #users=["nobody"] #groups=["nogroup","www"] </pre> === More makejail notes === Makejail notified me that I should mount the <code>proc</code> filesystem at <code>/proc</code> inside the jail. So I created this startup script at <code>/etc/init.d/spwProcMount</code> (and symlinked it to some rc?.d directories so that it runs at boottime): <pre> #!/bin/sh chroot /var/www/wiki/spw /bin/mount /proc </pre> === Apache setup notes === For the time being, the general apache stuff is beyond the scope of this documentation. But, I will note that you must not allow cgi in any directory that user <code>spw</code> can access to be run directly -- otherwise, someone could use SPW to write malicious code to that directory, and then execute it ''outside of any safe compartment'' by just running the CGI directly. I do this by leaving an .htaccess file in the chroot jail root. === Cron setup notes === I created a file /etc/cron.d/spw: <pre> SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 22 3,9,13,18 * * * spw /var/www/wiki/spw/home/root/spwcron </pre> and created this file at /var/www/wiki/spw/home/root/spwcron: <pre> wget --spider 'http://purl.net/net/spw/spw.pl?action=maintain' </pre> ---- CategoryDocumentation

Summary:

This change is a minor edit.

Username: