script to secure MediaWiki installation

This article provides a script to secure a new installation of MediaWiki (tested on version 1.16).

##################################
# mediawiki
# script written by t0ka7a
# http://infond.blogspot.com
# august 2010
# under new BSD licence
##################################

# install

# needs apache, php, mysql

if [ -z "$(ls /var/www | grep wiki)" ]; then
  rm -r /tmp/wiki*
  wget "http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0.tar.gz" -nc -P /tmp
  tar xzf /tmp/mediawiki-1.16.0.tar.gz -C /tmp
  rm /tmp/mediawiki-1.16.0.tar.gz
  mv /tmp/mediawiki-1.16.0 /var/www/wiki
  chown -R www-data: /var/www/wiki
  chmod 440 -R /var/www/wiki
  chmod -R ug+X /var/www/wiki
  chmod 777 -R /var/www/wiki/config
  echo "Please configure your wiki."
  echo "The name for your wiki must be 'wiki'"
  echo "Remember the credentials you will submit: you will need them to log on you wiki."
  echo "When install is successful, close firefox tab or window to hold on with this script."
  echo "Please, press enter."
  read pause
  echo "Firefox is starting... Don't forget, you must use 'wiki' as name for your wiki."
  firefox http://localhost/wiki/index.php
  mv /var/www/wiki/config/LocalSettings.php /var/www/wiki/

 

# secure

  # only registered users can edit
  echo ""  >> /var/www/wiki/LocalSettings.php
  echo "# only registered users can edit" >> /var/www/wiki/LocalSettings.php
  echo "\$wgGroupPermissions['*']['edit'] = false;"  >> /var/www/wiki/LocalSettings.php

  # only registered users can read (except main page)
  echo ""  >> /var/www/wiki/LocalSettings.php
  echo "\$wgWhitelistRead = array( \"Accueil\", \"Special:Userlogin\" );"   >> /var/www/wiki/LocalSettings.php
  echo "\$wgGroupPermissions['*']['read'] = false;"   >> /var/www/wiki/LocalSettings.php

  # free inscription forbidden
  # file
  FILE="/var/www/wiki/includes/DefaultSettings.php"
  # find the number of line with pattern wgGroupPermissions['*']['createaccount']
  # sed does not like ' and [ and ] and *. replace them:
  # ' -> \x27
  # [ -> \[
  # ] -> \]
  # * -> \*
  LINE=$(sed -n '/wgGroupPermissions\[\x27\*\x27\]\[\x27createaccount\x27\]/=' $FILE)
  # replace line
  # sed does not like either $VARIABLE.
  # use $VARIABLE -> $(echo $VARIABLE)
  AFTER="\$wgGroupPermissions['*']['createaccount']    = false;"
  sed -e "$(echo $LINE)s/.*/$(echo $AFTER)/"  -i $FILE

  # change message loginprompt in french version (the default message socks)
  # default message : "Vous devez activer les témoins (''cookies'') pour vous connecter à {{SITENAME}}.
  # replace it with : "veuillez saisir votre identifiant et votre mot de passe"
  FILE="/var/www/wiki/languages/messages/MessagesFr.php"
  LINE=$(sed -n '/loginprompt/=' $FILE)
  AFTER="\x27loginprompt\x27 \=\> \"veuillez saisir votre identifiant et votre mot de passe\","
  sed -e "$(echo $LINE)s/.*/$(echo $AFTER)/"  -i $FILE

  # hide tool box to people not logged in
  # add data['loggedin']) { ?>
  FILE="/var/www/wiki/skins/MonoBook.php"
  BEGIN=$(sed -n '/div class="portlet" id="p-tb"/=' $FILE)
  AFTER="data['loggedin']) { ?>"
  sed -e "$(echo $BEGIN)a$(echo $AFTER)"  -i $FILE
  # add
  FILE="/var/www/wiki/skins/MonoBook.php"
  DIV="<\/div>"
  FROM="function toolbox"
  TO=$DIV
  INSERT_THIS=" "
  sed "/$FROM/,/$TO/ s/$DIV/$DIV$INSERT_THIS/" -i $FILE

  # hide tool box to users. Only admin can see it
  FILE="/var/www/wiki/includes/SpecialPage.php"
  # add ## at the beginning of string
  sed '/Userlogin\x27 / s/^/##/' -i $FILE

  # user can't create account. Only admin can do it.
  FILE="/var/www/wiki/includes/DefaultSettings.php"
  BEFORE_THIS="\$wgGroupPermissions\[\x27user\x27\]\[\x27move\x27\]"
  INSERT_THIS="\$wgGroupPermissions\[\x27user\x27\]\[\x27createaccount\x27\] \= false\;"
  sed -e "/$BEFORE_THIS/i$INSERT_THIS"  -i $FILE

fi

references:

- (FR) http://camillereverchon.net/mediawiki/index.php?title=S%C3%A9curiser_son_wiki