Installing MoinMoin under Debian with Apache, suexec, and CGI
Setting up MoinMoin under Linux is reasonably straightforward considering the number choices you have when deciding how to go about it.
MVLUG's wiki runs on a debian lenny box using Apache, suexec, and CGI. Since this machine is serving web content other than the wiki, we'll use apache's virtual hosting capability and host the wiki under its own domain.
Install the MoinMoin package
root# apt-get install python-moinmoin
- This will install python if you haven't already, so don't be alarmed at the amount of activity.
- Install apache and suexec packages
- We're going to use version 2 of apache. You get mod_cgi in one of the dependencies for the apache2 package, but suexec must be installed from a separate package.
root# apt-get install apache2 apache2-suexec
Note that you can do the previous two installs with a single call to apt-get.
- Create wiki user account
- Since we have several people taking care of the wiki, we need to have the capability for several people to modify a group of files. There are at least three ways to accomplish this:
- Install the wiki in a user account and put everything in ~/public_html.
- Install everything in the usual place (/var/www), create a special wiki group, make everything owned by user www-data but allow writing by the wiki group, then create accounts for everybody who wants to be able to modify the wiki's files and put those accounts in the wiki group.
- Install everything in /var/www, make it all owned by a single user and use suexec to run the wiki as that user.
- Option (1) is probably easiest, but it involves either allowing all users to run arbitrary cgi scripts or otherwise exercising control over individual users and scripts. While this might be feasible on a machine with only a very few users, it quickly becomes an administrative nightmare if the number of users on the machine starts to grow.
- Option (2) is better. However, the admin factor is still a potential source of pain.
We went with option (3). Not only do we get to keep the wiki content in a standard place, we only have to maintain one account. The wiki CGI is run using this account, so any security implications of an exploit against MoinMoin are minimized to a regular user's account. We can avoid having to distribute the account's password by using ssh and public key authentication.
Create the data directory for the virtual host and set appropriate ownership. In this example we'll use the username mvlug.
root# mkdir /var/www/mvlug root# chown -R mvlug.mvlug /var/www/mvlug root# ls -ld /var/www/mvlug drwxr-xr-x 2 mvlug mvlug 4096 2008-09-28 11:01 /var/www/mvlug
- Copy data and configuration files. Perform these steps as the mvlug user.
Debian puts the files relevant to MoinMoin in /usr/share/moin.
mvlug:~$ cp -R /usr/share/moin/data /var/www/mvlug
We are setting this up as a single wiki. To set up multiple wikis, please see HelpOnConfiguration for information on configuring multiple wikis on the same host.
mvlug:~$ cp /usr/share/moin/config/wikiconfig.py /var/www/mvlug
- We're using the CGI, so we need to copy the CGI script Apache runs to access the wiki:
mvlug:~$ mkdir /var/www/mvlug/cgi-bin mvlug:~$ cp /usr/share/moin/server/moin.cgi /var/www/mvlug/cgi-bin
- Configure wiki
wikiconfig.py, moin.cgi, logfile, etc.
- Configure apache virtual host
Debian keeps separate configuration files for each virtual host in /etc/apache2/sites-available. We create a file in that directory called mvlug with the following contents:
<VirtualHost *:80> ServerName www.mvlug.org ServerAlias mvlug.org DocumentRoot /var/www/mvlug Alias /robots.txt /usr/share/moin/htdocs/robots.txt Alias /favicon.ico /usr/share/moin/htdocs/favicon.ico # moinmon uses /moin_static<version> to grab static pages Alias /moin_static171/ "/usr/share/moin/htdocs/" # run the wiki as a regular user SuexecUserGroup mvlug mvlug <Directory "/usr/share/moin/htdocs/"> Order deny,allow Allow from all </Directory> <Directory "/var/www/mvlug/cgi-bin/"> Order deny,allow Allow from all </Directory> # This script runs the wiki ScriptAlias / /var/www/mvlug/cgi-bin/moin.cgi/ </VirtualHost>
- Activate the virtual host
root# a2ensite mvlug
- Set up ssh access for the wiki admin user
We've chosen to allow access to the wiki user account via ssh. Password authentication is disabled in favor of public key authentication.
- Enjoy your new wiki!