Mailing List Archive

novice: securing in-place installation.
Hi,


I ran the in-place installation, and it went like a breeze. That said, I
don't understand a couple of things...

/var/www/wiki has a dump of the mediawiki-1.2.0 stable tar-ball.
Ran through the basic install which means putting LocalSettings.php
in the same directory as index.php (/var/www/wiki)
I noticed that localsettings.php has the DB name, username and PW in it.
If one is readable, won't the other be as well ? Is that safe?
Re: novice: securing in-place installation. [ In reply to ]
On Apr 5, 2004, at 21:06, Peter wrote:
> /var/www/wiki has a dump of the mediawiki-1.2.0 stable tar-ball.
> Ran through the basic install which means putting LocalSettings.php
> in the same directory as index.php (/var/www/wiki)
> I noticed that localsettings.php has the DB name, username and PW in
> it.
> If one is readable, won't the other be as well ? Is that safe?

If the file is requested, it'll be _executed_ as PHP and the _output_
(which is nothing) sent to the client. This should be reasonably safe
under normal configurations.

However, if you edit the file by hand, your editor might leave a backup
file which doesn't have a ".php" extension, so watch out for that. If
you're paranoid, you can move the actual passwords to a file outside
your web space and have LocalSettings.php include() the real file (this
is actually how we do things on Wikipedia, mainly just to simplify
administration of dozens of almost-identical configurations).

Also, your MySQL server really shouldn't accept connections from the
internet at large. If it's configured appropriately (socket connections
only or firewalled to a local network) then the potential risk of the
database passwords being leaked is rather smaller.

-- brion vibber (brion @ pobox.com)