I would suggest, if you want maximum security, to make it so that account under which website is running has read-only permissions to all files on your website, unless it really needs to have write permissions - specifically for MediaWiki, it would need write permissions in /images directory and its children. I don't believe it needs write access anywhere else in the filesystem. If you are only medium-paranoid, you can leave file owner to account under which website is running, and change permissions to read only. If you are extra-paranoid, you can change owner to a user other then web server, give group read permissions to group that web server is in, and no permissions to anyone else. I am extra-paranoid and it works fine - I simply ftp to site with owner account to make changes to files, and I leave them readable by group that web server is in.
Also, the way MediaWiki works, you never (at least off the top of my head) need direct access to any .php files other then index.php. All other files are used with includes or requires. Many of them have something like this as first lines in the file:
if ( !defined( 'MEDIAWIKI' ) ) { die( "This file is part of MediaWiki, it is not a valid entry point" ); }
This effectively prevents them from being used without having been called from index.php. Not the most robust security mechanism, so you might want to deny web access files ending with .php except for index.php through settings on your web server.
Marko
On 10/31/07, Emufarmers Sangly emufarmers@gmail.com wrote:
I have a fundamental question: who is the owner of Localsettings.php and who is (or should be) the group for Localsettings.php? I assume both owner and group have to "rw" right to Localsettings.php.
LocalSettings.php should probably belong to your Web user and group, as presumably would all of the files for your Web site. I would recommend that you CHMOD LocalSettings.php to 600 unless your setup requires otherwise.