Not logged in. · Lost password · Register
Forum: General Help and Support Server Setup RSS
Security for private Dokuwiki using QuickPHP
Avatar
simonx #1
Member since Apr 2012 · 6 posts
Group memberships: Members
Show profile · Link to this post
Subject: Security for private Dokuwiki using QuickPHP
I'm conscious that I'm slightly out of my depth here, but I should be grateful for any advice.

Over the last few days I've been looking for a desktop application which would allow me to create a *private* wiki, running on my own laptop, to store information about some projects I am working on. There are a number, but none was quite ideal. Zim was perhaps the closest, but for complicated reasons I couldn't live with the fact that it added its own headers to the text files it saved: and I particularly needed something which supported Creole markup.

Dokuwiki, with the Creole plugin, seemed to fit the bill. I downloaded QuickPHP, Dokuwiki itself, and the Creole plugin, and was up and running surprisingly painlessly... except that the my Admin menu showed an ugly warning to the effect that my "data directory wasn't properly secured".

It referred me to a web page which I read, but found difficult to apply. It made reference to using Apache's .htaccess, but I wasn't using Apache, and to moving my data directory, which I did manage to do, but without removing the warning.

I don't know if running QuickPHP is making my computer vulnerable, or if the warning generated by Dokuwiki is relevant to a system configured like mine: as is doubtless obvious, this isn't my area of expertise. But I'd be grateful for any advice.

I'm running Windows 7, QuickPHP 1.14.0, and Dokuwiki 2012-01-25a "Angua".

On a slightly separate point, my system is quite carefully organised so that my data is separated from my programs: I have a separate, TrueCrypt virtual drive which stores only data. Is there any way of configuring Dokuwiki so that the *pages* folder, which is the only one I'd fear losing (I can rebuild everything else quite easily, don't need version histories and so forth, and I like the simplicity of knowing only data is stored on that drive), can be separated not only from the rest of Dokuwiki, but even from the other folders in the *data* folder?

Many thanks for your time. And to the creator - my congratulations on an extraordinary product. That I got as far as I did is frankly rather surprising, and speaks well of its design :)

Simon
This post was edited on 2012-04-25, 21:51 by simonx.
Avatar
turnermm (Moderator) #2
Member since Oct 2009 · 2320 posts
Group memberships: Global Moderators, Members
Show profile · Link to this post
Here are the relevant pages:

http://www.dokuwiki.org/security
http://www.dokuwiki.org/config:savedir
http://www.dokuwiki.org/config
Myron Turner
fckgLite (&ckgedit): http://www.mturner.org/fckgLite/
github: https://github.com/turnermm
plugins, templates: http://www.mturner.org/devel
Avatar
simonx #3
Member since Apr 2012 · 6 posts
Group memberships: Members
Show profile · Link to this post
Thanks Myron, it was good of you to reply.

I had already read these pages - in fact, I mention the security page specifically in my initial message - but I'm afraid they don't really help.

You see, the security page discusses varies forms of server, such as Apache, but not a stand-alone desktop system using QuickPHP. It makes reference to moving the data folder, and as I say, I did do this, but it didn't clear the warning.

The page on setting savedir I did see too, but this moves the *data* folder. As I mentioned, I did already do this :) My second question, separate from security, was whether there was any way of moving just the *pages* folder, not everything in data. There is a variable that relates to the pages folder, but I'm not clear on whether this can be changed from just a name to a path: or if it can, what path I would need to use to move pages onto a different drive - which is the aim I describe. I'm guessing that if it can be made a path at all, it would still be relative to savedir (ie. the data folder).

But thanks for getting back to me so soon. If you can advise me on the security of a local, QuickPHP setup (it's mentioned by the Dokuwiki site, but security isn't discussed), or on a way it might be possible to isolate and move just the pages folder, I'd be most grateful.

Simon
This post was edited 3 times, last on 2012-04-26, 02:10 by simonx.
Avatar
turnermm (Moderator) #4
Member since Oct 2009 · 2320 posts
Group memberships: Global Moderators, Members
Show profile · Link to this post
Not being famiiar with QuickPhp, I checked out the web site.  It has this recommendation:
      • NOTE *** If you have a Windows Firewall running, running QuickPHP for the first time will cause Windows to prompt you for approval. You DO NOT have to unblock QuickPHP if you are debugging your scripts locally (e.g. 127.0.0.1). In fact, it is recommended for higher security that you DO NOT UNBLOCK QuickPHP.

Reason: As QuickPHP is meant for PHP development purposes and not for web hosting, it runs with your credentials - if you are logged on as Administrator, then QuickPHP will also run as Administrator.

If you run the QuickPhp server in this restricted way, there shouldn't be any security concern, since only someone sitting at the  laptop can access the server.  This statement implies that you can get additional security if you create a non-administrator user and run QuickPhp as this non-administrator. 

That security warning which you encountered comes from Dokuwiki, when it finds that it can directly access your data.  Dokuwiki's security depends on being able to block direct access so that it can decide, based on ACL rules, who can and cannot view and edit your data.  The .htaccess files define the rules which do the blocking.  In addition, if you are not connected to the Internet or to a LAN, then similarly, there should be no need for concern.


I've occasionally been scolded for giving too permissive advice.  But I can't see where you can go wrong if you take the strict approach recommended by QuickPhp. 

Someone else will perhaps come along and give this question a second look. (Andi?)
Myron Turner
fckgLite (&ckgedit): http://www.mturner.org/fckgLite/
github: https://github.com/turnermm
plugins, templates: http://www.mturner.org/devel
This post was edited 2 times, last on 2012-04-26, 02:46 by turnermm.
Avatar
simonx #5
Member since Apr 2012 · 6 posts
Group memberships: Members
Show profile · Link to this post
Yes - I saw the QuickPHP advice too. In fact, I had already given permission for "computers on this network" - which I'm guessing means my laptop and my router - but I went into Windows Firewall and deleted even those permissions when I read this.

I think the problem is that I'm struggling to form a mental image of what QuickPHP actually does, if you see what I mean. It seems to include an interpreter for the PHP language, which is naturally essential for Dokuwiki, but also to act as an actual server: and that's the bit that makes me nervous. There are no lines relating to QuickPHP in either my inbound or outbound firewall rules, so I'm hoping this means that it is effectively kept entirely isolated, but I wanted to ask a grown up just in case I was making a horrible mistake.

You've reassured me a little on this score - and I'm grateful.

Moving the 'pages' folder to a new drive is proving more difficult. For now, I've used 'savedir' moved the whole data folder to my 'user data' drive: it's not ideal, but it's livable. As you say - perhaps someone will have a way of moving just 'pages'. Cache, media, version history and so on are all so many dead files to me: my wish is purely to create an engine which will display my beloved Creole marked text files. In Unix, I'm guessing I could use some kind of symbolic link to move 'pages' without even telling Dokuwiki - just leaving a link where pages *should* be - but on Windows 7, this trick doesn't seem to work. 'datadir' isn't individually accessible through config - sooner or later I may have to see what happens if I change it in the configuration files themselves - though again, I'm not sure what path - given that Dokuwiki is on the C: drive - will let me move 'pages' to the X: drive.

As you say, maybe some other obsessive-compulsive data-separator will be able to advise :)

Manny
Avatar
turnermm (Moderator) #6
Member since Oct 2009 · 2320 posts
Group memberships: Global Moderators, Members
Show profile · Link to this post
On Windows, starting with Vista, you can in fact create real symbolic links with the mklink function run as administrator.   Here is a link to a German post, but whether or not you can read the German sections, it gives the technique for creating symlinks:
http://forum.dokuwiki.org/post/31727

However, this wouldn't give you the security you want from moving the save directory, because outsiders who had access to your wiki could still access the pages directory by means of the symlink.  The function of the savedir option is to move the data outside the knowledge/view of external users to a location that Dokuwiki knows but is not obvious to outsiders, and on a live server outside the document root, which means that it is not accessible by url.
Myron Turner
fckgLite (&ckgedit): http://www.mturner.org/fckgLite/
github: https://github.com/turnermm
plugins, templates: http://www.mturner.org/devel
Avatar
simonx #7
Member since Apr 2012 · 6 posts
Group memberships: Members
Show profile · Link to this post
That's very interesting - I shall look this up.

I hear what you say about moving the directory not itself giving security - that was probably my fault for asking two separate questions in one post. I was worried about security, but I think you've answered that as well as it's going to be answered - as far as I can tell, QuickPHP can't talk to anyone on the net.

But the reason I want to move the 'pages' folder is not for security. It's because I have a drive which I keep strictly for my own created data only. With most applications this is easy - I put (for instance) Photoshop on the C: drive (where it goes by default) and save my actual image files on the X: drive.

With Docuwiki, it's a little more complicated, because Docuwiki is a large collection of script, config and data files in a complex structure. But the only part of this entire setup which I wish to put on my user-data X: drive is the 'pages' folder - that contains the Creole txt files with all my actual project work. The media, versioning and caching folders can all live in the data folder inside Docuwiki: I just want to relocate and so logically separate my Creole marked-up text files.

You can *almost* do this by modifying savedir - but this moves the 'data' file, which brings a lot of things besides the 'pages' folder. That's why I was considering using a link to relocate *just* pages.

So the advice on the link is most helpful.

Simon
Avatar
turnermm (Moderator) #8
Member since Oct 2009 · 2320 posts
Group memberships: Global Moderators, Members
Show profile · Link to this post
I'm sure the symlink woujld work for your purposes. 

Did you know that there is a Creole plugin for Dokuwiki?
http://www.dokuwiki.org/plugin:creole
Myron Turner
fckgLite (&ckgedit): http://www.mturner.org/fckgLite/
github: https://github.com/turnermm
plugins, templates: http://www.mturner.org/devel
Avatar
simonx #9
Member since Apr 2012 · 6 posts
Group memberships: Members
Show profile · Link to this post
Oh yes - using it already. First thing I did :) Big fan of Creole.

One of the most frustrating things is that while there are lots of Wiki tools, they all use different markup systems. Even where they nominally use one (MediaWiki, Markdown...), there are generally little kinks in their implementation which make them incompatible with each other.

This isn't a criticism of any particular Wiki of course - every system has to use something, and making changes is difficult without breaking existing content. But it is a pity.

I do a lot of work on my phone - the Galaxy Note, a phone large enough to work on during the week, and go surfing on on weekends. There are a number of Wiki type systems available for it, the best being probably being Wikimind. It's not quite Creole in its markup, but it's very close. With Dokuwiki, and the Creole plugin, they are just close enough to allow me to work on the same files on the PC and on my phone.

There is only one frustrating difference. Wikimind doesn't support ":" for namespace scoping. It simply uses a "/" in the link to indicate a subfolder. The effect is much the same, but it means that where my links leave the namespace, they won't work on my phone, because they are marked with ":" rather than "/". But... there's not a lot I can do about this, and most of the markup now works the same on the PC (on Docuwiki) and on my ludicrously huge phone (on Wikimind) - and I'm already syncing them back and forth.

Simon
Avatar
andi (Administrator) #10
Member since May 2006 · 2444 posts · Location: Berlin Germany
Group memberships: Administrators, Members
Show profile · Link to this post
In reply to post #4
Quote by turnermm:
Someone else will perhaps come along and give this question a second look. (Andi?)

I agree with you here. If this is a wiki that is running on your local machine only, eg. is not accessible from the network then you don't need to worry about the warning and can ignore it.

An alternative might be DokuWiki on a Stick. It includes a minimal Apache webserver and is completely preconfigured and despite it's name you can also install it on your local harddisk.
Read this if you don't get any useful answers.
Lies dies wenn du keine hilfreichen Antworten bekommst.
Avatar
andi (Administrator) #11
Member since May 2006 · 2444 posts · Location: Berlin Germany
Group memberships: Administrators, Members
Show profile · Link to this post
In reply to post #9
Quote by simonx:
There is only one frustrating difference. Wikimind doesn't support ":" for namespace scoping. It simply uses a "/" in the link to indicate a subfolder.

Enable the useslash option and rewriting in DokuWiki and you can use the slash in both setups. Again, DokuWiki on a Stick already has this preconfigured if I remember correctly.
Read this if you don't get any useful answers.
Lies dies wenn du keine hilfreichen Antworten bekommst.
Avatar
simonx #12
Member since Apr 2012 · 6 posts
Group memberships: Members
Show profile · Link to this post
Thanks Andi - useslash is ideal!

It's not quite 'DokuWiki on Android' but - with DokuWiki on my PC running Creole (and giving Creole precedence) and useslash enabled - Wikimind is sufficiently similar to allow me use and edit my wiki on my phone: that's a huge help.

I did look at Dokuwiki on a stick, and its clever, but I'm going to stick with QuickPHP: it's nice to be able to use the main Dokuwiki release without having to wait for a 'sticky' version to be compiled, and it is extraordinarily simple. Now that I understand the meaning of the security warning Docuwiki threw up rather better, I'm less worried: it's reasonable for Dokuwiki to warn me that various directories are 'writeable', but it's really now down to my Firewall to prevent external connections to and from QuickPHP itself.

I even had a crack at modifying one of the plugins to create one I needed, with some success: a rather old dirlisting plugin gave me the basis I needed to create a plugin which offered wiki links to all the .txt files in specified folder. It's the kind of plugin which would doubtless raise security issues for a public wiki, but is ideal for a private one: I can drop Creole marked txt files into a folder, and they automatically appear as a links on a single index page for that folder, even if I've never linked to them through the wiki before, and so they haven't been indexed. (Most of the indexing plugins seem to use DokuWiki's own indices, rather than the raw content of a folder, to build their lists.) I doubt this is of enough general interest to upload, but it was fun to make.

Many thanks for your advice, and for a wiki I'm enjoying more and more as I work with it.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20120620-dev, © 2003-2011 by Yves Goergen
Current time: 2014-04-16, 21:01:31 (UTC +02:00)