[Mediawiki-l] novice: securing in-place installation.

Brion Vibber brion at pobox.com
Tue Apr 6 05:20:27 UTC 2004


On Apr 5, 2004, at 21:06, Peter wrote:
> /var/www/wiki has a dump of the mediawiki-1.2.0 stable tar-ball.
> Ran through the basic install which means putting LocalSettings.php
> in the same directory as index.php (/var/www/wiki)
> I noticed that localsettings.php has the DB name, username and PW in 
> it.
> If one is readable, won't the other be as well ? Is that safe?

If the file is requested, it'll be _executed_ as PHP and the _output_ 
(which is nothing) sent to the client. This should be reasonably safe 
under normal configurations.

However, if you edit the file by hand, your editor might leave a backup 
file which doesn't have a ".php" extension, so watch out for that. If 
you're paranoid, you can move the actual passwords to a file outside 
your web space and have LocalSettings.php include() the real file (this 
is actually how we do things on Wikipedia, mainly just to simplify 
administration of dozens of almost-identical configurations).

Also, your MySQL server really shouldn't accept connections from the 
internet at large. If it's configured appropriately (socket connections 
only or firewalled to a local network) then the potential risk of the 
database passwords being leaked is rather smaller.

-- brion vibber (brion @ pobox.com)




More information about the MediaWiki-l mailing list