miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Reply | Search | Statistics | Manual |
The Other miniBB Support Forums / The Other /   

storing database mysql information in setup_options.php - is it secure?

Author lbartoli
Registered
#1 | Posted: 4 Sep 2002 18:28 
I'm going to install miniBB and I'm concerned about writing db user and passwd in the setup_options file.
Could someone else read these information ? Should I protect this file in some way ?

Thanx

Luca

Author Team
8-)
#2 | Posted: 5 Sep 2002 10:15 
lbartoli
This information can be read only by server's administrator, actually. In some cases server's configuration allows also all registered users on that server read other users' files (but this is for nowadays rare). This file can not be read from web or public access.

Author lbartoli
Registered
#3 | Posted: 5 Sep 2002 11:12 
Ok, I would trust you (I’m a real inexperienced webmaster), but I'm wondering, does the web access to files and directories (on a linux server) depends on the chmod settings, doesn’t it ? Which kind of settings should I use (i.e., 644 for files and 755 for directories) ? Is it an issue ?

Luca

Author Team
8-)
#4 | Posted: 5 Sep 2002 14:10 
lbartoli
In a case of server, pay attention that only users who has shell access can access your files. They are not available via FTP or web. And you can't do anything with permissions - the PHP script (with "ALL" permissions) requires script to run. This file in any case is available for reading from web - but users will not see anything inside it - try yourself.

http://www.minibb.com/forums/setup_options.php

Author lbartoli
Registered
#5 | Posted: 6 Sep 2002 00:52 
Ok, I got it.
Thanks again (for the support and for the fantastic job you are doing with miniBB).

luca

Author Anonymous
Guest
#6 | Posted: 30 Sep 2002 16:14 
You probably know this but anyway, there is quite big security risk when someone provides free
shell-accounts(like me)and uses miniBB(like me again). Now, anyone who has a shell-account in my linux-box can
look at setup_options.php in miniBB directory and watch what is my MySQL and admin passwords. And setup_options.php
rights have to be at least 705 because otherwise miniBB doesn't work. :/

So if you have some advice for this problem, i would be more than glad to hear it.

Author Paul
Lead Developer
#7 | Posted: 30 Sep 2002 16:15 | Edited by: Admin 
Yes, that problem exists, but it is solved by server's settings, not
miniBB itself. PHP needs to know EXACT password for connecting to
database. Even if we encode this password with simple algorythms
(which can be de-encoded back), it is not the best solution, because
everyone can de-encode it and view it in anyway (because miniBB is
open source, and there is no protection, why simple users can not
de-encode data, if they have knowledge in PHP).

Another reason that we can not encode password data is that most users
are mostly lazy. If we say - go there and there, type your password,
then go back to options, and copy-paste the result - this is unreal.
Users just type in what they know. Of course, we would do automatical
encoding - but in that way, setup_options needs to be CHMODed to 777
(that's the worest), than back to 755... shite... Many script
programmers are doing that, but on my opinion, it is even worest than
simply type in setup_options w/o changing the permission.

The only one solution in your case is TO FORBID shell-users to read
files from another directories (not from where they are owners). It is
easy configurable in Linux. And it really needs to be done for another security purposes!!!

Author PeKa
Registered
#8 | Posted: 30 Sep 2002 17:39 
I think that's part of a joke:

"If I do this, it hurts"

"Then...don't do it!?"

The Other miniBB Support Forums / The Other / storing database mysql information in setup_options.php - is it secure? Top

Your Reply Click this icon to move up to the quoted message

 Short link for this topic:

 ?
Only registered users are allowed to post here. Please, enter your username/password details upon posting a message, or register first.


Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.
 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Get the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB