Manual:Securing database passwords/ja

This page might be not up to date

= LocalSettings.php = LocalSettings.php はMySQLデータベースパスワードと、WikiSysopパスワードを含む. phpファイルは管理者用のwikiアカウントと同様、世界中にパスワードを表わしてしまういくつかの異なった条件下で平文テキストとして提供されることが出来るので、LocalSettings.php中のそれらのパスワードをそのままにしておくのはリスクがある. もしも、管理者アカウントとパスワードを秘密にして起きたいと思ったならば、LocalSettigs.phpからそれを削除する

LocalSettings.php はもしも以下の場合に平文テキストとして提供することが出来る:
 * Phpがサーバ上で無効になっている場合
 * Phpそれ自身が壊れている場合
 * そのドメイン中のどこかで(共通のcgi検索スクリプト)search.plというcgiを持っている. Description of exploit.

apacheがこのファイルにアクセスすることを得ることが出来るかを検査し、ログインしたときこのファイルへのアクセスは管理者のみにする.

修正(理論)
apacheのユーザが何であるかをディストリビューションで調べる(これは変化し、例としては、"apache"、"nobody"、"httpd"が含まれる). 次に、以下のように、mediawikiをインストールする先のフォルダのためにパーミッションを設定する: chown apache mediawikifolder chgrp apache mediawikifolder chmod o-rxw mediawikifolder (その他ユーザからアクセス権を取り去る) (probably repeat with g-rxw ... for LocalSettings.php ) uがrとxを持っていることを確実にする(か、chmod 500 LocalSettings.php) 注意: The fix above only works if you are granted rights to change your wiki-folder owner and group to the apache's owner and group. If you do execute the above you get: Access denied. To prevent this, do: chmod 755 mediawikifolder Note: Rights then required for LocalSettings.php are: chmod 500 LocalSettings.php No need for the executable bit. NOTE: "mediawikifolder" is the folder where you put your mediawiki-installation (e.g. /var/www/mediawiki)

Edit: it seems Localsettings.php needs to have read access for others; I did chmod o+rx LocalSettings.php

Example
There is no total security but having apache access the files as "other" is far away from being secure.

Default permissions set for mediawiki are root:root -rw-rw-r-- and lookup for directories. I recommend setting ownership as above to apache (or as it must be named on your server). Now you either can set the group to apache also or to a group of very few people who shall be allowed to access the data. Remember: Don't act as root if possible! Instead act as a normal user who is in this group staff

Now make group staff or as you may want to name it. If it exists already you'll get an error. kuser &              #on KDE with a gui, very simple groupadd staff       #or on posix-terminal add per hand addgroup putYourNameHere staff  #add him to staff addgroup putNextNameHere staff  #add him to staff addgroup root staff  #add him to staff

I recommend this setting (you can type these command one after one): export mediawikifolder="/var/www/mw6" #put your setting here export apacheID="www-data"           #put your setting here, see above for examples export groupID="staff"               #example, name it as you like or as you've set it earlier chown -R "$apacheID":"$groupID" $mediawikifolder chmod -R 460 $mediawikifolder        #user can read, group can read and write others are not allowed #- be careful, directories come later chmod -R 660 $mediawikifolder/images #we need write access for user(=apache) and group - you see, #noone else allowed chmod 660 $mediawikifolder/config    # Allow write access for installation, chmod -R u+X $mediawikifolder        #only user and staff can lookup (x on dirs) chmod -R g+X $mediawikifolder later set chmod 060 $mediawikifolder/config    # Only staff

At this moment I can't see, why group apache has to be set. If you get problems with some modules or extensions you can do this: export mediawikifolder="/var/www/mw6" #put your setting here export groupID="apache"              #be sure to take right groupname that apache needs chgroup -R $groupID $mediawikifolder

Keep Mysql Passwords Out Of Webroot
You should never put your mysql passwords in a text file that is within the web root. You can avoid doing so by doing this:  chown apache /htdocs/external_includes/mysql_pw chmod o-rw /htdocs/external_includes/mysql_pw $wgDBserver        = $db_host; $wgDBname          = $db_name; $wgDBuser          = $db_user; $wgDBpassword      = $db_password; This way if somebody is able to access and display LocalSettings.php, all they will see is the variables rather than the real password, username, etc. to your mysql database and the real file containing that information is off limits to the web server. You still need to make sure LocalSettings.php is only readonly to the apache user as described above.
 * 1) Make a directory outside your web root. For example, if your website is located at "/htdocs/www-wiki", then make a directory called "external_includes" outside of your webroot:
 * 2) mkdir /external_includes
 * 3) Create a file in the directory you just made called something like "mysql_pw" and place a variable on a separate line for each of your mysql user name, password, hostname, and database name, each variable being set to the real values. For example, using vi as your editor:
 * 4) vi /external_includes/mysql_pw
 * 5) i (vi command for insert)
 * 6) Type the following lines using the real values of course in place of the bracketed "mysql_" fillers:
 * 7) $db_host="[mysql_host]";
 * 8) $db_name="[mysql_db_name]";
 * 9) $db_user="[mysql_user]";
 * 10) $db_password="[mysql_password]";
 * 1) Save the file. In vi this is: [Escape Key]ZZ
 * 2) Chmod and/or chown this file as explained in the previous example for LocalSettings.php so apache can read it. Usually something like:
 * 1) Now edit your LocalSettings.php file and add the following line in the beginning of the file:
 * 2) require_once("[FULL ABSOLUTE PATH TO mysql_pw]") (in our example this would be: require_once ("/external_includes/mysql_pw");
 * 3) Now instead of your real password, user name, database name, and host name do this in LocalSettings.php:

NOTE. If you are doing these changes and do not have access to the users because you web server provider does not let you, then, from ftp the minimum rights you have to set for your "external_includes" are: "rwxr-xr-x". For the file "mysql_pw" you will have to set "rwxr-xr--", otherwise your wiki will not run. Still, your password is secure because the file with critical info is out of world access.

= PHP breakage security problems = If your php breaks, it will serve LocalSettings.php as a regular file, giving the world your wiki database password!

Fix
(may break elsewhere!)     Order allow,deny Deny from all Allow from none   Order deny,allow Allow from all  

Replace sapi_apache2.c with mod_php4.c for apache 1.3

Replace sapi_apache2.c with mod_php5.c for apache 2