storing database mysql information in setup_options.php - is it secure?

I'm going to install miniBB and I'm concerned about writing db user and passwd in the setup_options file.
Could someone else read these information ? Should I protect this file in some way ?

Thanx

Luca

lbartoli
This information can be read only by server's administrator, actually. In some cases server's configuration allows also all registered users on that server read other users' files (but this is for nowadays rare). This file can not be read from web or public access.

Ok, I would trust you (I’m a real inexperienced webmaster), but I'm wondering, does the web access to files and directories (on a linux server) depends on the chmod settings, doesn’t it ? Which kind of settings should I use (i.e., 644 for files and 755 for directories) ? Is it an issue ?

Luca

lbartoli
In a case of server, pay attention that only users who has shell access can access your files. They are not available via FTP or web. And you can't do anything with permissions - the PHP script (with "ALL" permissions) requires script to run. This file in any case is available for reading from web - but users will not see anything inside it - try yourself.

http://www.minibb.com/forums/setup_options.php

Ok, I got it.
Thanks again (for the support and for the fantastic job you are doing with miniBB).

luca

You probably know this but anyway, there is quite big security risk when someone provides free
shell-accounts(like me)and uses miniBB(like me again). Now, anyone who has a shell-account in my linux-box can
look at setup_options.php in miniBB directory and watch what is my MySQL and admin passwords. And setup_options.php
rights have to be at least 705 because otherwise miniBB doesn't work. :/

So if you have some advice for this problem, i would be more than glad to hear it.

Yes, that problem exists, but it is solved by server's settings, not
miniBB itself. PHP needs to know EXACT password for connecting to
database. Even if we encode this password with simple algorythms
(which can be de-encoded back), it is not the best solution, because
everyone can de-encode it and view it in anyway (because miniBB is
open source, and there is no protection, why simple users can not
de-encode data, if they have knowledge in PHP).

Another reason that we can not encode password data is that most users
are mostly lazy. If we say - go there and there, type your password,
then go back to options, and copy-paste the result - this is unreal.
Users just type in what they know. Of course, we would do automatical
encoding - but in that way, setup_options needs to be CHMODed to 777
(that's the worest), than back to 755... shite... Many script
programmers are doing that, but on my opinion, it is even worest than
simply type in setup_options w/o changing the permission.

The only one solution in your case is TO FORBID shell-users to read
files from another directories (not from where they are owners). It is
easy configurable in Linux. And it really needs to be done for another security purposes!!!

I think that's part of a joke:

"If I do this, it hurts"

"Then...don't do it!?"