On Apr 5, 2004, at 21:06, Peter wrote:
/var/www/wiki has a dump of the mediawiki-1.2.0 stable
tar-ball.
Ran through the basic install which means putting LocalSettings.php
in the same directory as index.php (/var/www/wiki)
I noticed that localsettings.php has the DB name, username and PW in
it.
If one is readable, won't the other be as well ? Is that safe?
If the file is requested, it'll be _executed_ as PHP and the _output_
(which is nothing) sent to the client. This should be reasonably safe
under normal configurations.
However, if you edit the file by hand, your editor might leave a backup
file which doesn't have a ".php" extension, so watch out for that. If
you're paranoid, you can move the actual passwords to a file outside
your web space and have LocalSettings.php include() the real file (this
is actually how we do things on Wikipedia, mainly just to simplify
administration of dozens of almost-identical configurations).
Also, your MySQL server really shouldn't accept connections from the
internet at large. If it's configured appropriately (socket connections
only or firewalled to a local network) then the potential risk of the
database passwords being leaked is rather smaller.
-- brion vibber (brion @
pobox.com)