Author Topic: chmod 600 config/db.inc.php  (Read 7594 times)

Offline zoidberg

  • Newbie
  • *
  • Posts: 8
chmod 600 config/db.inc.php
« on: July 30, 2008, 09:26:59 PM »
This file holds my postgresql password in the clear. It should not, and need not be world-readable.

:eek:
zoidberg

Offline bpat1434

  • Administrator
  • Hero Member
  • *****
  • Posts: 673
chmod 600 config/db.inc.php
« Reply #1 on: July 31, 2008, 03:48:36 PM »
Yes, while it does hold your password in the clear, if someone attempts to view it through the browser, because it is a php file, it will be parsed an nothing but white-space will be outputted.  So there is no security issue there.  If someone does hack your RC installation, it's via FTP or some other attack and your database password is the least of your worries.  Most likely they'll have your FTP password and that would be more pertinent ;)
 
  

Offline zoidberg

  • Newbie
  • *
  • Posts: 8
chmod 600 config/db.inc.php
« Reply #2 on: July 31, 2008, 08:41:32 PM »
Quote from: bpat1434;13172
So there is no security issue there.


I'm running roundcube on a machine which has shell account users. Why should they be simply able to cat the file? My point is that world-readability of db.inc.php is unnecessary for roundcube's operation, therefore should not exist. That's just good engineering practice, or so it seems to me. Lord knows I am not attorney, that's just my opinion, and I could be wrong!

:o
zoidberg

Offline smultronstallet

  • Jr. Member
  • **
  • Posts: 11
chmod 600 config/db.inc.php
« Reply #3 on: August 04, 2008, 04:21:13 PM »
You might want to try changing the group of the db.inc.php to your web server's user (www or apache or whatever it is on your system). Then only make users who need to access that file a member of that group.

chgrp www /path/to/db.inc.php
chmod 770 /path/to/db.inc.php


Then change your all your users' group access with vigr, or whatever command your system uses to manage groups.

Just a suggestion.

Offline zoidberg

  • Newbie
  • *
  • Posts: 8
chmod 600 config/db.inc.php
« Reply #4 on: August 04, 2008, 11:51:56 PM »
Oh yes, thanks, I have the thing squared away on my end to my satisfaction, with the world-read bit turned off. My point was to suggest that roundcube should not initially install db.inc.php in a world-readable state.
zoidberg