The trac repository needs to be writable by the «user account under which the web server runs» (cf TracInstall). But it is a big security hole as every user of the web server with the permission to run php or cgi scripts or simply use a database browser (like SQLite Manager) can modify the database. Of course people that cannot connect to your server cannot use that as far as your database is outside of your web tree, but even that is never granted because a bad symlink sometime brings an unwanted file system tree in the webtree.
I think it only reflect the fact that UNIX user rights are bad to manage database user rights. The same trick would be impossible with Mysql, PostgreSQL, Oracle, ... They manage the rights of their users. Even if the user cannot see the file system it can still get data. As we have to stick to file permissions with sqlite, the better thing is to have a 'trac' user that only run trac and is not the same than the httpd user. And give the right in the project tree to this trac user. For trac standalone it is easy to launch it as a specific user, for cgi it needs suexec, for fastcgi either an independant thread launched from a specific user account, or suexec. Personally I have adopted a trac fastcgi launched as a 'trac' user that communicates by tcp with my httpd daemon ( lighthttpd ). I think that TracInstall must be rewritten, to indicate how to use securely trac. I would be interrested to now if somebody has an other secure scheme for using trac on a multi-user server. P.S. May be a ticket would have been a better place for that ? _______________________________________________ Trac mailing list [email protected] http://lists.edgewall.com/mailman/listinfo/trac
