[Bug 18768] New: Remove AdminSettings.php from MediaWiki core

bugzilla-daemon Mon, 11 May 2009 08:52:18 -0700

https://bugzilla.wikimedia.org/show_bug.cgi?id=18768


           Summary: Remove AdminSettings.php from MediaWiki core
           Product: MediaWiki
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: Normal
         Component: Installation
        AssignedTo: [email protected]
        ReportedBy: [email protected]
            Blocks: 14201,16322


Paraphrasing Tim:

* Having two separate files creates an illusion of privilege separation
* In theory, AdminSettings.php could be protected using UNIX permissions, but
it's never done
* It provides no real security to separate the admin user from the command-line
user
* The web user has DELETE capabilities over MediaWiki tables already, so an
attacker can do significant damage already

I propose removing the file from future installations, putting the data in
LocalSettings.php, and modifying maintenance scripts to use LocalSettings.php
(if necessary).


-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 18768] New: Remove AdminSettings.php from MediaWiki core

Reply via email to