Roundcube Community Forum
SVN Releases => Requests => Topic started by: zoidberg on July 30, 2008, 09:26:59 PM
-
This file holds my postgresql password in the clear. It should not, and need not be world-readable.
:eek:
-
Yes, while it does hold your password in the clear, if someone attempts to view it through the browser, because it is a php file, it will be parsed an nothing but white-space will be outputted. So there is no security issue there. If someone does hack your RC installation, it's via FTP or some other attack and your database password is the least of your worries. Most likely they'll have your FTP password and that would be more pertinent ;)
-
So there is no security issue there.
I'm running roundcube on a machine which has shell account users. Why should they be simply able to cat the file? My point is that world-readability of db.inc.php is unnecessary for roundcube's operation, therefore should not exist. That's just good engineering practice, or so it seems to me. Lord knows I am not attorney, that's just my opinion, and I could be wrong!
:o
-
You might want to try changing the group of the db.inc.php to your web server's user (www or apache or whatever it is on your system). Then only make users who need to access that file a member of that group.
chgrp www /path/to/db.inc.php
chmod 770 /path/to/db.inc.php
Then change your all your users' group access with vigr, or whatever command your system uses to manage groups.
Just a suggestion.
-
Oh yes, thanks, I have the thing squared away on my end to my satisfaction, with the world-read bit turned off. My point was to suggest that roundcube should not initially install db.inc.php in a world-readable state.