On 11-05-23 09:20 AM, jidanni(a)jidanni.org wrote:
You know, the current structure of how one sets up
MediaWiki is just
begging for trouble security wise,
"You should probably change your database password, since you just posted it for the
world to see."
http://www.mediawiki.org/w/index.php?title=Manual_talk:Preventing_access#Do…
I mean I can't think of hardly any other components here on my Linux
system that encourages one to toss passwords right into the same file
with the rest of ones settings. It's like we're still at day one when
the program was first baked.
- WordPress, Drupal, OSCommerce, etc... basically
every php, perl,
etc... web software.
- php, if you configure mysql globally using defaults
- Postfix mysql integration
- Nagios and other server monitoring; For when storing things in the
database, and when you need to interact with a mysql server to monitor
stats, etc... (unless you go and add a user that doesn't require a
password; just don't tell me that's a valid solution based on the fact
there is no password in the config *rolls eyes*)
- PowerDNS' database storage
- Puppet, if you use storeconfigs with anything other than SQLite
- Apache, if you want to use MySQL based logging or auth
- Sphinx
Is this what the term 'Fallacy' would refer to?
Indeed there is even /etc/shadow etc.
Yes, the idea is there are two levels of security for
/etc files...
That way when we send one in for repairs, we don't have to worry if our
house keys are still in it somewhere, usually.
Yes the user could easily include() the passwords from a separate file,
and indeed I remember there was an Adim*.php.
However putting the passwords in a separate file should be the default
way mediawiki sets up, not something the user must do especially.
I leave this
rhetoric to Domas' reply.
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://daniel.friesen.name]