Hi Sergiu, ok, I can say then that: 1) Container security doesn't seam to a major concern, or you would have been more preocupied. I will seek a qualified professional and pass him your information. 2) wiki secure by it's users is up to me :) this is quite normal
BUT the real question: is if xwiki by it self has security issues. Let me give an example: php has a weekness known as "sql injection". Is XWiki prone to the same kind of problem? Thanks, Alain Sergiu Dumitriu escreveu: > Hi Alain, > > There are 2 security areas when talking about XWiki: the security of the > underlying system, and the security of the wiki itself. > > The first one depends a lot on the security of the container (Tomcat, > for example), and I think that most containers are pretty safe to use, > as a lot of websites are built on the Java technology. One important > aspect is the security model of the JVM; you can leave the container > without a security manager, which allows an application to do anything > (well, anything the user owning the java process can do on the system), > or enable the security manager which allows an application to do only > what you tell it to. While enabling the security manager is the safest > thing to do, we didn't quite experiment with this, so we can't provide a > good policy file that will allow XWiki to run, you will have to write it > yourself; there is a minimal file which allows XWiki to start under the > security manager, but it isn't tested on more than viewing a page (see > http://jira.xwiki.org/jira/browse/XWIKI-348). If you want to play around > with this policy file until you determine the minimum safe set of rules, > then you won't have anything to worry about on the system security. > > The second part is a bit trickier, as it depends a lot on how you manage > users and their rights. If you only grant view and edit rights to people > you trust, then there shouldn't be any risks. If you open the wiki for > public registration and public editing, then you will have the problem > any wiki has: anyone can alter the data. This is where the > administrator(s) are needed: managing users and their roles/rights. A > pretty good thing is that XWiki has versioning, so you can always revert > a document to a previous version, and a recycle bin, so you can recover > deleted documents. > > Regarding rights, there is a major issue: XWiki has something called the > Programming right, something that allows users to go beyond simple > editing, as it allows a user to write scripts that can alter all the > data in the wiki, or even scripts that can do anything a java program > can do (even access the filesystem and send data over the network). This > is where the security manager I talked about above is useful, as it > restricts what such a script can do on the system. Now, this is > something you should take extra care about: it is not a problem unless > you make it one. Never let this right be used in the wiki, it is not > intended to be granted to normal users but to your "super" > administrators, who know how and when to use this access right. This > means that you should only use the default Admin account to setup the > wiki, then create a normal user for day-to-day editing. > > So, as a conclusion, XWiki CAN be safe, and it CAN be unsafe, it is only > a matter of proper configuration. It does not contain anything > inherently unsafe, it is built on a safe platform, with the dangerous > things (programming right) locked up by default. > > Alain M. wrote: >> Please, can anyone help me on this matter?? I have waited some time but >> didn't get an answer. This is important, any information will help >> ------- >> >> If I install xwiki in a VPS, and leave it running, with a firewall that >> leaves open only the port that xwiki is using, >> >> Could it be atacked by a hacker to gain access to the server? >> >> Do I need some extra protection? Is there a security tutorial? >> > _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
