[Mediawiki-l] You should probably change your database password, since you just posted it for the world to see.
Domas Mituzas
midom.lists at gmail.com
Mon May 23 17:17:18 UTC 2011
great job at lecturing, yet completely missing quite a few important points.
you give examples of password files that are used to verify user's password, not to supply it, and those files are accessed with suid privileges.
separate file would be as world-readable as LocalSettings - because web server software would have to read it (or you'd have to do setuid trickery)
maybe putting outside the webroot would make sense for certain improperly configured environments, but unfortunately there's no way to auto-detect such environments and their settings, not without crystal ball at least.
there's enough of privilege separation - you can use superuser password to change user password after each maintenance :)
oh well, I already wrote too much text to reply to your lunacy ;-)
On May 23, 2011, at 7:20 PM, jidanni at jidanni.org wrote:
> You know, the current structure of how one sets up MediaWiki is just
> begging for trouble security wise,
>
> "You should probably change your database password, since you just posted it for the world to see."
> http://www.mediawiki.org/w/index.php?title=Manual_talk:Preventing_access#Dosn.27t_seem_to_work
>
> I mean I can't think of hardly any other components here on my Linux
> system that encourages one to toss passwords right into the same file
> with the rest of ones settings. It's like we're still at day one when
> the program was first baked.
>
> Indeed there is even /etc/shadow etc.
> Yes, the idea is there are two levels of security for /etc files...
> That way when we send one in for repairs, we don't have to worry if our
> house keys are still in it somewhere, usually.
>
> Yes the user could easily include() the passwords from a separate file,
> and indeed I remember there was an Adim*.php.
>
> However putting the passwords in a separate file should be the default
> way mediawiki sets up, not something the user must do especially.
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
More information about the MediaWiki-l
mailing list