Any application has security issues of which you, the user, should be aware. Because Movable Type is a server-based application, you and your hosting provider should be aware of web server security issues due to running CGI scripts (not just Movable Type, but any CGI script). In addition, as someone who is publishing personal information readable by the entire world, you may be interested in blog security or the ability to create private blogs readable only by your close friends.
As a web application, Movable Type is more vulnerable to security problems than is a desktop application. The system is a series of CGI scripts. When the web server executes CGI scripts, in most configurations they are executed as a non-privileged user on the system. That is, as a user who does not have privileges to write to files in your home directory, where your web-accessible files are stored. Because Movable Type needs to write files into your directories to publish your blog, you must make some of your files and directories world-writable. This is a security risk on a shared server. The web server user can now write files to your directories but so can any other user on the system! This is a real problem, because most hosting servers are shared between many users.
To prevent this security hole, many
providers
have installed cgiwrap
and/or
suexec
. These systems both use the same
technique: instead of running CGI scripts as the web server, they run
the CGI scripts as you. Because the scripts are running as you, the
files and directories that they manage do not have to be
world-writable — they need be writable only by you, which they
will be anyway, because you created them. When using
cgiwrap
, you usually need to invoke your CGI
scripts using a specially formatted URL; suexec
usage is generally transparent to you. Your hosting
provider’s support pages should have more
information on how to use either of these tools.
When you first run mt-check.cgi
on your system,
you should be able to determine whether or not your server is running
suexec
. When you invoke the CGI script from your
browser, the output may contain a line like this:
(Probably) Running under cgiwrap or suexec
If the output contains this line (which will be under the line
beginning “Perl version:”), you
will know that your server is set up to use
suexec
. In this case, you should configure
Movable Type so that the files and directories it creates are created
with the proper permissions (that is, so that they are not
world-writable). To do so, follow these steps:
If your hosting provider does not support running CGI scripts under
cgiwrap
or suexec
, you may
wish to put pressure on them to do so. Ultimately, your provider has
the most to lose if the web server is hacked and files are
compromised. It is in their best interest to prevent this by
installing cgiwrap
or
suexec
.
We’ve covered security on the web server level. But what about security on the blog level? If you post an entry to your blog that you only want certain people to read, how can you control who can access that entry?
Movable Type itself does not possess the functionality to post private entries to your blog and protect them from viewing by anyone other than a select group of people. However, your web server probably does possess this functionality: all web servers implement Basic HTTP authentication, which allows you to set up a list of users who can access specific sections of your site. When a visitor to your site requests a page protected by this form of authentication, the web server firsts tell the user to authenticate himself by entering a username and password. If the username and password match those of a user who you have allowed access to your blog, the web server will then send the protected file to the browser, where it will be displayed like a normal page.
The method of setting up this authentication depends on your web
server. With the Apache web server, for example, you use
.htaccess
files to configure the web server and
set up password protection. In addition, your hosting provider may
have an online control panel that will allow you to set up password
protection; you may wish to consult your provider’s
support manual for more information on setting up a
password-protected directory.
To set up password protection using .htaccess files, you first need to create a file containing the list of users who can access your blog. You do this using the htpasswd command from the command line:
% htpasswd -c ~/htpasswd.blog friend New password: <password> Re-type new password: <password> Adding password for user foo
This will create a file htpasswd.blog in your home directory to set up the user “friend.”
The next step is to set up an .htaccess file in the private directory, allowing in only the users who you wish to allow to read your blog. In the directory that you wish to make private, create a new file called .htaccess, and paste the following text into it:
AuthUserFile <path/to/home/directory/htpasswd.blog AuthName "My Private Blog" AuthType Basic Require user friend
Once you have saved this file, your blog will be password-protected. When visiting your private blog, visitors will be presented with a standard HTTP authentication dialog, into which they will have to enter one of the usernames that you have allowed in your .htaccess file.