foo

diff --git a/doc/post-commit.mdwn b/doc/post-commit.mdwn
index 6635d3bbd1f4a52158835aef2c1a61429fcfa121..6e768ce24a0fb8752ed858fe4e093ee50f628c8d 100644 (file)
--- a/doc/post-commit.mdwn
+++ b/doc/post-commit.mdwn
@@ -1,11 +1,26 @@
-Here's an example of how to run ikiwiki in a [[Subversion]] post-commit
-hook to automatically update a wiki as commits come in:
+The best way to run ikiwiki in a [[Subversion]] post-commit hook is using
+a wrapper, which can be generated using `ikiwiki --gen-wrapper`.

 
 

-       wiki_src=/path/to/checkout
-       wiki_dest=/path/to/web/server
-       svn up -q $wiki_src
-       ikiwiki $wiki_src $wiki_dest --wikiname=MyWiki
+First, set up the subversion checkout that ikiwiki will update and compile
+into your wiki at each subversion commit. Run ikiwiki a few times by hand
+to get a feel for it. Now, generate the wrapper by adding "--gen-wrapper"
+to whatever command line you've been using to run ikiwiki. For example:

 
 

-This assumes that permissions allow anyone who commits to svn up the
-wiki_src directory and write to wiki_dest. If they don't, you'll need a
-suid wrapper to run the above as a user who can write to both.
+       ~/wiki-checkout> ikiwiki . ~/public_html/wiki
+       ~/wiki-checkout> ikiwiki . ~/public_html/wiki --gen-wrapper
+       successfully generated ikiwiki-wrap
+
+The generated wrapper is a C program that is designed to safely be made
+suid if necessary. It's hardcoded to run ikiwiki with the settings
+specified when you ran --gen-wrapper, and can only be used to update and 
+compile that one checkout into the specified html directory.
+
+Now, put the wrapper somewhere convenient, and create a post-commit hook
+script in your subversion repository for the wiki. All the post-commit
+hook has to do is run ikiwiki-wrap (with no parameters).
+
+Depending on your Subversion setup, the post-commit hook might end up
+getting called by users who have write access to subversion, but not to
+your wiki checkout and html directory. If so, you can safely make
+ikiwiki-wrap suid to a user who can write there (*not* to root!). You might
+want to read [[Security]] first.

diff --git a/doc/security.mdwn b/doc/security.mdwn
index e7936b5a09475dd3f6fba83368394d98b3c4ecd4..d3e1375882f738a391d92d645097f662f73056d3 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -42,11 +42,11 @@ they can try to use this to exploit your web server.
 
 ## --gen-wrapper might generate insecure wrappers
 
 
 ## --gen-wrapper might generate insecure wrappers
 

-ikiwiki --gen-wrapper is instended to generate a wrapper program that
+ikiwiki --gen-wrapper is intended to generate a wrapper program that

 runs ikiwiki to update a given wiki. The wrapper can in turn be made suid,
 for example to be used in a [[post-commit]] hook by people who cannot write
 to the html pages, etc.
 
 If the wrapper script is made suid, then any bugs in this wrapper would be
 security holes. The wrapper is written as securely as I know how and
 runs ikiwiki to update a given wiki. The wrapper can in turn be made suid,
 for example to be used in a [[post-commit]] hook by people who cannot write
 to the html pages, etc.
 
 If the wrapper script is made suid, then any bugs in this wrapper would be
 security holes. The wrapper is written as securely as I know how and

-there's been no problems yet.
+there's been no problem yet.

diff --git a/ikiwiki b/ikiwiki
index 65934edd1af0a0da450d7ab78bcbef6a7acbf247..cb8295cf9586ba76148541da7e69d5de2bf4da77 100755 (executable)
--- a/ikiwiki
+++ b/ikiwiki
@@ -463,7 +463,7 @@ sub gen_wrapper ($$) {
 #include <stdlib.h>
 
 int main (void) {
 #include <stdlib.h>
 
 int main (void) {

-       unsetenv("PERLIO_DEBUG"); /* CAN-2005-0155 */
+       clearenv();

        execl($call, NULL);
        perror("failed to run $this");
        exit(1);
        execl($call, NULL);
        perror("failed to run $this");
        exit(1);