The configure utility ships with an empty password (as designed). The save screen of configure recommends to set a password.
To make a site more secure I recommend to add some addition documentation to the save screen. Something like:
Note on Security: This web based configuration utility makes it easy to configure your TWiki from a browser. It also adds some risk because anyone who gets hold of the password can run arbitrary commands on the server by changing the grep or rcs commands. If you are running TWiki on a public website you are strongly advised to disable the save operation of the configure utility and to enable it only temporarily when needed. To disable the save operation, make
twiki/lib/LocalSite.cfg readonly (use chmod etc)
The configure utility needs to produce a human understandable error message if
is not writable.
should be updated accordingly.
what about making setting a password on first save mandatory?
- I tried that, and users hated it CC
How about making the yellow broadcast banner "This wiki is unsecured" ?