On Thu, Aug 6, 2009 at 1:30 PM, Chadinnocentkiller@gmail.com wrote:
Depends on which maintenance script you're talking about. Update.php certainly does, as does renameDbPrefix (just to grab one off the top of my head).
update.php shouldn't need access other than to the wiki database, should it? Giving the normal wiki MySQL user rights to ALTER TABLE, etc. isn't a security risk. If we have a script to rename the DB prefix or fiddle with replication or whatever, then yeah, that will need root access (or at least significantly more access than the wiki should have on a multi-user/multi-app setup). But the overwhelming majority of admins won't need to use that. In that case, I think AdminSettings.php is certainly a good idea, so it could be readable only to root and not the web server. Maybe the logic for these few maintenance scripts should go like
1) Check in LocalSettings.php for admin login. (This is a bad idea if you have databases the web server isn't supposed to access! But probably fine for typical sites with only databases accessible to the web server anyway.)
2) Check in AdminSettings.php if that exists.
3) Try /root/.my.cnf or ~/.my.cnf, just in case that works, but don't fail fatally if a login is given there but doesn't have the needed privileges.
4) Prompt the user for a login.
I don't think this needs too much effort invested in it, though, since only very few admins should need to run scripts that need more than normal DB access.