]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - doc/setup/byhand/discussion.mdwn
projects / git.ikiwiki.info.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
no time to do maser for now, but some pointers and thanks
[git.ikiwiki.info.git] / doc / setup / byhand / discussion.mdwn
diff --git a/doc/setup/byhand/discussion.mdwn b/doc/setup/byhand/discussion.mdwn
index 4d009f20d75a2592574dc839a6160fca64e710f2..deb79a8db4061e8251dba3fa115271e9390c3c76 100644 (file)
--- a/doc/setup/byhand/discussion.mdwn
+++ b/doc/setup/byhand/discussion.mdwn
@@ -13,3 +13,10 @@ The page says *"Note that this file should **not** be put in your wiki's directo
 One possible thing is security: Is it just a precaution or would anyone with "write" access to wiki be able to replace the file?
 
  --[[Martian]]
+
+> Anyone with the ability to delete/replace attachments via the web UI, or the ability
+> to commit directly to the VCS, would be able to replace it. That breaks ikiwiki's
+> security model, because replacing the setup file is sufficient to achieve
+> arbitrary code execution as the user running the CGI and VCS hooks. --[[smcv]]
+
+>> Thanks. After all found it here: [[security]]. Now I wonder if I always use a file from the master branch, while limiting users to staging, it might fly...
Unnamed repository; edit this file 'description' to name the repository.