8.5 Security Issues

Any application has security issues of which you, the user, should be aware. Because Movable Type is a server-based application, you and your hosting provider should be aware of web server security issues due to running CGI scripts (not just Movable Type, but any CGI script). In addition, as someone who is publishing personal information readable by the entire world, you may be interested in blog security or the ability to create private blogs readable only by your close friends.

8.5.1 Web Server Security

As a web application, Movable Type is more vulnerable to security problems than is a desktop application. The system is a series of CGI scripts. When the web server executes CGI scripts, in most configurations they are executed as a non-privileged user on the system. That is, as a user who does not have privileges to write to files in your home directory, where your web-accessible files are stored. Because Movable Type needs to write files into your directories to publish your blog, you must make some of your files and directories world-writable. This is a security risk on a shared server. The web server user can now write files to your directories but so can any other user on the system! This is a real problem, because most hosting servers are shared between many users.

To prevent this security hole, many providers have installed cgiwrap and/or suexec. These systems both use the same technique: instead of running CGI scripts as the web server, they run the CGI scripts as you. Because the scripts are running as you, the files and directories that they manage do not have to be world-writable — they need be writable only by you, which they will be anyway, because you created them. When using cgiwrap, you usually need to invoke your CGI scripts using a specially formatted URL; suexec usage is generally transparent to you. Your hosting provider's support pages should have more information on how to use either of these tools.

When you first run mt-check.cgi on your system, you should be able to determine whether or not your server is running suexec. When you invoke the CGI script from your browser, the output may contain a line like this:

(Probably) Running under cgiwrap or suexec

If the output contains this line (which will be under the line beginning "Perl version:"), you will know that your server is set up to use suexec. In this case, you should configure Movable Type so that the files and directories it creates are created with the proper permissions (that is, so that they are not world-writable). To do so, follow these steps:

If your hosting provider does not support running CGI scripts under cgiwrap or suexec, you may wish to put pressure on them to do so. Ultimately, your provider has the most to lose if the web server is hacked and files are compromised. It is in their best interest to prevent this by installing cgiwrap or suexec.

8.5.2 Private Blogs

We've covered security on the web server level. But what about security on the blog level? If you post an entry to your blog that you only want certain people to read, how can you control who can access that entry?

Movable Type itself does not possess the functionality to post private entries to your blog and protect them from viewing by anyone other than a select group of people. However, your web server probably does possess this functionality: all web servers implement Basic HTTP authentication, which allows you to set up a list of users who can access specific sections of your site. When a visitor to your site requests a page protected by this form of authentication, the web server firsts tell the user to authenticate himself by entering a username and password. If the username and password match those of a user who you have allowed access to your blog, the web server will then send the protected file to the browser, where it will be displayed like a normal page.

The method of setting up this authentication depends on your web server. With the Apache web server, for example, you use .htaccess files to configure the web server and set up password protection. In addition, your hosting provider may have an online control panel that will allow you to set up password protection; you may wish to consult your provider's support manual for more information on setting up a password-protected directory.

To set up password protection using .htaccess files, you first need to create a file containing the list of users who can access your blog. You do this using the htpasswd command from the command line:

% htpasswd -c ~/htpasswd.blog friend
New password: <password>
Re-type new password: <password>
Adding password for user foo

This will create a file htpasswd.blog in your home directory to set up the user "friend."

The next step is to set up an .htaccess file in the private directory, allowing in only the users who you wish to allow to read your blog. In the directory that you wish to make private, create a new file called .htaccess, and paste the following text into it:

AuthUserFile <path/to/home/directory/htpasswd.blog
AuthName "My Private Blog"
AuthType Basic
Require user friend

Once you have saved this file, your blog will be password-protected. When visiting your private blog, visitors will be presented with a standard HTTP authentication dialog, into which they will have to enter one of the usernames that you have allowed in your .htaccess file.