开发者

Move config.php out of www folder

I'm starting to set up the security for my web server. For this, I created a folder outside of my www folder, where I put my config.php. This file holds sensitive database infos.

I have two questions:

1) Should I rather keep it in the www folder and then move everything else down one level and make my web server point to that new web root?

2) What permissions should I set?

currently I have set the

owner to root (read-only)

group to root (read-only)

others (read-only) as well

I'm only really worried abo开发者_开发技巧ut others. Should I rather specify a user for it or create a new group altogether? Please also mention any other considerations. Thanks

EDIT: I forgot to mention, my web server distro is Ubuntu 10.10. EDIT2: My web server is nginx


if you do move your config.php file outside of your www, you may have a openbase_dir issue, which what will not allow that script to be processed as a php file (only on certain server configs.. I think that moving your config file outside of the www folder is unnecessary as long as it is not echoing all that info out.

Keep in mind that if your server is processing php files correctly your server will not reveal the file content to the world.

so: 1) Keep it in the www folder 2) I set mine to 644

take a look at this for some more security info: http://www.acunetix.com/websitesecurity/php-security-3.htm

Good luck, Joe


I feel that safe mode should be off, but it's deprecated OR move config.php to config/ and then put this in config/.htaccess: Deny from All

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜