Move config.php out of www folder
I'm starting to set up the security for my web server. For this, I created a folder outside of my www folder, where I put my config.php. This file holds sensitive database infos.
I have two questions:
1) Should I rather keep it in the www folder and then move everything else down one level and make my web server point to that new web root?
2) What permissions should I set?
currently I have set the
owner to root (read-only)
group to root (read-only)
others (read-only) as well
I'm only really worried abo开发者_开发技巧ut others. Should I rather specify a user for it or create a new group altogether? Please also mention any other considerations. Thanks
EDIT: I forgot to mention, my web server distro is Ubuntu 10.10. EDIT2: My web server is nginx
if you do move your config.php file outside of your www, you may have a openbase_dir issue, which what will not allow that script to be processed as a php file (only on certain server configs.. I think that moving your config file outside of the www folder is unnecessary as long as it is not echoing all that info out.
Keep in mind that if your server is processing php files correctly your server will not reveal the file content to the world.
so: 1) Keep it in the www folder 2) I set mine to 644
take a look at this for some more security info: http://www.acunetix.com/websitesecurity/php-security-3.htm
Good luck, Joe
I feel that safe mode should be off, but it's deprecated
OR
move config.php to config/ and then put this in config/.htaccess:
Deny from All
精彩评论