I would suggest, if you want maximum security, to make it so that account
under which website is running has read-only permissions to all files on
your website, unless it really needs to have write permissions -
specifically for MediaWiki, it would need write permissions in /images
directory and its children. I don't believe it needs write access anywhere
else in the filesystem. If you are only medium-paranoid, you can leave file
owner to account under which website is running, and change permissions to
read only. If you are extra-paranoid, you can change owner to a user other
then web server, give group read permissions to group that web server is in,
and no permissions to anyone else. I am extra-paranoid and it works fine - I
simply ftp to site with owner account to make changes to files, and I leave
them readable by group that web server is in.
Also, the way MediaWiki works, you never (at least off the top of my head)
need direct access to any .php files other then index.php. All other files
are used with includes or requires. Many of them have something like this as
first lines in the file:
if ( !defined( 'MEDIAWIKI' ) ) {
die( "This file is part of MediaWiki, it is not a valid entry point" );
}
This effectively prevents them from being used without having been called
from index.php. Not the most robust security mechanism, so you might want to
deny web access files ending with .php except for index.php through settings
on your web server.
Marko
On 10/31/07, Emufarmers Sangly <emufarmers(a)gmail.com> wrote:
I have a fundamental question: who is the owner
of Localsettings.php and
who is (or should be) the group for Localsettings.php? I assume both
owner
and group have to "rw" right to Localsettings.php.
LocalSettings.php should probably belong to your Web user and group, as
presumably would all of the files for your Web site. I would recommend
that
you CHMOD LocalSettings.php to 600 unless your setup requires otherwise.