Manual talk:Securing database passwords

From mediawiki.org
Jump to navigation Jump to search

Insecure recommendations![edit]

Everything I deleted from this page was completely wrong. If you set the owner of a file to be the webserver, it means that scripts and the webserver are able to change any permission at any time! Besides that, setting rights for the webserver to "read" does not hold it from reading the source and sending it out, so it's no fix. The most secure solution is to keep password out of the web root, to set password file's group ownership to that of the webserver, and to revoke all permissions from others. Please, don't set peoples installations at risk, when you don't know what you're doing writing silly instructions. --Bachsau (talk) 21:18, 30 September 2012 (UTC)

Is this unnecessarily complicated?[edit]

Elsewhere in this wiki it suggests that all you have to do is chmod 700 LocalSettings.php. See LocalSettings.php#Security. What is wrong with that? Camerojo (talk) 01:37, 10 January 2013 (UTC)

Obviously nothing. 400 would be more secure, but won't work everywhere. The only true answer to this is, that it depends on server configuration what works and what is secure. There is no general way on how to do it. If you know *nix and your server's configuration, you will be able to secure your installation, otherwise you won't. However, if you are on shared webspace, your provider's configuration is correct and there aren't any major security flaws in mediawiki, you won't have to do anything but upload, configure and be happy, and you should be secure. --Bachsau (talk) 13:59, 10 January 2013 (UTC)
There is no reason to make LocalSettings.php executable. More than 6xx should never be needed and, in fact, 400 would be ideal. LocalSettings.php#Security has been updated in the meantime. --88.130.113.200 23:55, 3 November 2015 (UTC)