https://bugzilla.wikimedia.org/show_bug.cgi?id=34945
--- Comment #8 from Viktor Adamek <[email protected]> 2012-03-05 19:01:18 UTC --- (In reply to comment #7) > (In reply to comment #6) > <snip> > > [root@alex w]# php maintenance/install.php --dbuser testwikiuser --dbpass > > NotForYou --installdbpass NotForYou --installdbuser root --pass NotForYou > > test > <snip> > > [root@alex w]# ls -l LocalSettings.php > > -rw-r--r--. 1 root root 4487 Mar 4 19:04 LocalSettings.php > > What is the point of that test? You could have verified that your root user as > a 0022 umask just by doing: I just wanted to show that install.php creates a config-file containing data-base credentials that's readable by the other-group (from locally logged in users) - it could behave differently (using PHP's chmod). Since I've never programmed any PHP and have only little knowdlege about apache's php-integration, please tell me if I'm totally wrong. > If the file belong to apache:apache , even as r--r-----, any user able to host > files on your server will be able to read it just by doing: > file_get_contents( '/var/www/yourwiki/LocalSettings.php'); Yep, this is suboptimal. Nevertheless I think it's much wiser to only allow apache-users (group) to read the file, than to allow it everyone. Other php-projects handle this issue similar, e.g. wordpress: "... All files should be 644 or 640. Exception: wp-config.php should be 600 to prevent other users on the server from reading it. ..." from: http://codex.wordpress.org/Changing_File_Permissions -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
