[Mediawiki-l] novice: securing in-place installation.
brion at pobox.com
Tue Apr 6 05:20:27 UTC 2004
On Apr 5, 2004, at 21:06, Peter wrote:
> /var/www/wiki has a dump of the mediawiki-1.2.0 stable tar-ball.
> Ran through the basic install which means putting LocalSettings.php
> in the same directory as index.php (/var/www/wiki)
> I noticed that localsettings.php has the DB name, username and PW in
> If one is readable, won't the other be as well ? Is that safe?
If the file is requested, it'll be _executed_ as PHP and the _output_
(which is nothing) sent to the client. This should be reasonably safe
under normal configurations.
However, if you edit the file by hand, your editor might leave a backup
file which doesn't have a ".php" extension, so watch out for that. If
you're paranoid, you can move the actual passwords to a file outside
your web space and have LocalSettings.php include() the real file (this
is actually how we do things on Wikipedia, mainly just to simplify
administration of dozens of almost-identical configurations).
Also, your MySQL server really shouldn't accept connections from the
internet at large. If it's configured appropriately (socket connections
only or firewalled to a local network) then the potential risk of the
database passwords being leaked is rather smaller.
-- brion vibber (brion @ pobox.com)
More information about the MediaWiki-l