Is 0700 or 0711 permission enough to protect database configuration files?

As we all know that with shared web hosting other users (websites) files could be revealed to others if 'others开发者_JAVA技巧' have the (read) permission .

I think 0700 or 0711 permission is the best way( in shared hosting) to protect important files the contain secret information .

I suppose that the server is using suPHP or any similar module so that keep the UID of the process is the same as the owner of the files being accessed.

So what do you say ?

You are correct. 700 would ensure nobody can read/write/execute that file, except the owner. So that would be good enough! In case it is to be executed, 711, else, 700.

However, if some operation involving that file fails, you should consider 711.

EDIT: As you have mentioned, if it contains a connection string, you can safely assume that nobody needs to be given write privileges, and give everyone execute privileges. So, 511(which is r_x __x __x) should do it.

You'll need execution rights only for directories, if your files are PHP source files you certainly do not need execution rights.

0640 and 2750 are usualy good rights for respectively Files and Directories (the 2 in the directory rights make the new files inherit user & group of the directory).

That is for files:

-rw-r-----

And directories

drwxr-s---

Which is right if the webserver is using the group rights and the FTP-or-such user being the owner. With Suexec and such you could maybe adjust these settings depending of who is the owner and who is the web reader (user? group?), the web reader does not need write access, except maybe on some specific directories depending on the application.

And do not forget files & directories rights are only one point in separation of user in a shared envirronment. For PHP envirronments using per-user open_basedir settings, temporary files and upload directories and per-user session directories is always a good idea (that can be defined in per-user virtualhosts).