Manual:Securing database passwords/fr

LocalSettings.php contient par défaut les identifiants et mots de passe MySQL de la base de données. Garder ces identifiants dans LocalSettings.php est risqué, car sous certaines rares conditions, les fichiers PHP peuvent être servies en tant que texte brut, révélant ces identifiants au monde entier:

Description de l'exploit.
 * PHP est désactivé sur le serveur
 * PHP est cassé
 * You avez le script CGI search.pl (un script de recherche très courant) quelque part sur ce domaine.

Si dans ces rares cas, vous souhaitez garder vos noms d'utilisateurs et mots de passe MySQL secrets, alors ils ne devraient pas faire partie du fichier LocalSettings.php.

Garder les mots de passe MySQL en dehors des fichiers web
Vous ne devriez jamais mettre vos mots de passe MySQL dans un fichier texte inclus dans la racine web. Vous pouvez l'éviter en faisant ainsi:
 * 1) Créer un dossier hors de votre racine web. For example, if your website is located at "/htdocs/www-wiki", then make a directory called "external_includes" outside of your webroot:
 * 2) mkdir /external_includes
 * 3) Create a file in the directory you just made called something like "mysql_pw.php" and place a variable on a separate line for each of your mysql user name, password, hostname, and database name, each variable being set to the real values. For example, using nano as your editor:
 * 4) nano /external_includes/mysql_pw.php
 * 5) Type the following lines using the real values of course in place of the bracketed "mysql_" fillers:


 * 1) Take care to leave no whitespace (blank lines) after the text.
 * 2) Save and close the file. In nano this is: Ctrl+O and Xtrl+X

Check with your distro for what the webserver's user is (this varies, examples include "apache", "nobody","httpd"). Then set the permissions for the password file like so: chgrp apache mysql_pw.php chmod 640 (removes the access rights from other and write rights from webserver) (probably repeat with g-rxw ... for LocalSettings.php ) make sure that u has r (or chmod 400 LocalSettings.php)


 * Edit your LocalSettings.php file and add the following line in the beginning of the file:

$wgDBserver $wgDBname $wgDBuser $wgDBpassword
 * Now remove these variables from LocalSettings.php:

This way if somebody is able to access and display LocalSettings.php, all they will see is some settings rather than the password, username, etc. to your mysql database and the real file containing that information is off limits to the web server. You still need to make sure LocalSettings.php is only readonly to the apache user as described above.

If you can't create any files outside of your webroot, you can still achieve some protection by going through the process above and using a filename like ".htdbpasswd" inside your webroot instead of "mysql_pw.php", as most webservers are configured to deny access to any files beginning with .ht*