[Mediawiki-l] LocalSettings.php - Security for MW on SourceForge

gregwk gregwk at vt.edu
Tue Dec 21 04:45:55 UTC 2004 

That certainly sounds reasonable, but some web pages seem to indicate that 
some 
people have at least had success in restricting access to the 
LocalSettings.php file.

For example, Mozilla's wiki (at 
http://wiki.mozilla.org/index.php/LocalSettings.php) 
states:

"The wgDBuser and wgDBpassword variables contain the login name and password 
to be 
used by MediaWiki to access the database. Make sure the specified user has the 
proper 
access rights to be able to manipulate the wiki's table on the database 
server.
Also keep in mind that the LocalSettings.php permissions should not allow 
other users to 
view this file as it contains security-related data."

And a page that explains how to set up MediaWiki at DreamHost
(http://wiki.schubart.net/How_to_Install_MediaWiki_at_DreamHost)
contains the following section:

"Increase Security
The PHP files contain passwords, so let's restrict access:
chmod 600 /home/bob/wiki.bobsdomain.com/wiki/*.php"

Is SourceForge somehow fundamentally different from the Mozilla and DreamHost 
servers? If not, I'm inclined to think that someone has had success in this. 
However, 
when I try to change the permissions of my *.php files to 600, I am unable to 
log into 
the wiki. Has anyone had any experience setting up a MediaWiki and setting 
their *.php 
file permissions to 600?

G. Kulczycki

>===== Original Message From Brion Vibber <brion at pobox.com> =====
>--Apple-Mail-7-726728748
>Content-Transfer-Encoding: 7bit
>Content-Type: text/plain; charset=US-ASCII; format=flowed
>
>On Dec 20, 2004, at 1:49 PM, gregwk wrote:
>> I set up a MediaWiki on SourceForge.
>> It seems that anyone with an account on SourceForge has read access to
>> my LocalSettings.php file, which contains my database password.
>[snip]
>> I am using MediaWiki 1.3.9. Any suggestions on how to prevent people
>> from reading my database password?
>
> From what I can tell, you can't reliably do this on SourceForge.
>
>The file must be readable by the web server; because of the way file
>permissions work this generally means it's readable by any local user:
>I can log into the SF servers as my own account and read your files, or
>I can write a web script on my SF site to read your SF site's files.
>
>If the file is owned by you (instead of by the web server) then you can
>at least keep other people from changing its permissions, but you can't
>stop them reading it.
>
>If SF used PHP's "Safe Mode" (which is problematic for many reasons,
>but sometimes useful for multiuser systems) this might be able to stop
>other peoples' PHP scripts from reading your file, but would probably
>not stop them from logging in and looking at your file or writing CGI
>scripts and looking at your file.
>
>Any database-driven application running on SF will have a similar
>problem, as far as I can see. In order to connect to the database, the
>scripts _must_ have access to the plaintext password to open a
>connection. Since the scripts are run under a common user ID, they all
>have access.
>
>-- brion vibber (brion @ pobox.com)
>
>--Apple-Mail-7-726728748
>content-type: application/pgp-signature; x-mac-type=70674453;
>	name=PGP.sig
>content-description: This is a digitally signed message part
>content-disposition: inline; filename=PGP.sig
>content-transfer-encoding: 7bit
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.6 (Darwin)
>
>iD8DBQFBx2qOwRnhpk1wk44RAhzvAJ93lOzG21ybrSrCW2SeSyJOZqsVIwCgzADk
>lIyKBcCFcDMLREyOGvV7RGI=
>=KKq6
>-----END PGP SIGNATURE-----
>
>--Apple-Mail-7-726728748--
>
>
>_______________________________________________
>MediaWiki-l mailing list
>MediaWiki-l at Wikimedia.org
>http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

More information about the MediaWiki-l mailing list