miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
The Other miniBB Support Forums / The Other /  
 

storing database mysql information in setup_options.php - is it secure?

 
Author lbartoli
Partaker
#1 | Posted: 4 Sep 2002 18:28 
I'm going to install miniBB and I'm concerned about writing db user and passwd in the setup_options file.
Could someone else read these information ? Should I protect this file in some way ?

Thanx

Luca

Author Team
8-)
#2 | Posted: 5 Sep 2002 10:15 
lbartoli
This information can be read only by server's administrator, actually. In some cases server's configuration allows also all registered users on that server read other users' files (but this is for nowadays rare). This file can not be read from web or public access.

Author lbartoli
Partaker
#3 | Posted: 5 Sep 2002 11:12 
Ok, I would trust you (I’m a real inexperienced webmaster), but I'm wondering, does the web access to files and directories (on a linux server) depends on the chmod settings, doesn’t it ? Which kind of settings should I use (i.e., 644 for files and 755 for directories) ? Is it an issue ?

Luca

Author Team
8-)
#4 | Posted: 5 Sep 2002 14:10 
lbartoli
In a case of server, pay attention that only users who has shell access can access your files. They are not available via FTP or web. And you can't do anything with permissions - the PHP script (with "ALL" permissions) requires script to run. This file in any case is available for reading from web - but users will not see anything inside it - try yourself.

https://www.minibb.com/forums/setup_options.php

Author lbartoli
Partaker
#5 | Posted: 6 Sep 2002 00:52 
Ok, I got it.
Thanks again (for the support and for the fantastic job you are doing with miniBB).

luca

Author Anonymous
Guest
#6 | Posted: 30 Sep 2002 16:14 
You probably know this but anyway, there is quite big security risk when someone provides free
shell-accounts(like me)and uses miniBB(like me again). Now, anyone who has a shell-account in my linux-box can
look at setup_options.php in miniBB directory and watch what is my MySQL and admin passwords. And setup_options.php
rights have to be at least 705 because otherwise miniBB doesn't work. :/

So if you have some advice for this problem, i would be more than glad to hear it.

Author Paul
Lead Developer 
#7 | Posted: 30 Sep 2002 16:15 
Yes, that problem exists, but it is solved by server's settings, not
miniBB itself. PHP needs to know EXACT password for connecting to
database. Even if we encode this password with simple algorythms
(which can be de-encoded back), it is not the best solution, because
everyone can de-encode it and view it in anyway (because miniBB is
open source, and there is no protection, why simple users can not
de-encode data, if they have knowledge in PHP).

Another reason that we can not encode password data is that most users
are mostly lazy. If we say - go there and there, type your password,
then go back to options, and copy-paste the result - this is unreal.
Users just type in what they know. Of course, we would do automatical
encoding - but in that way, setup_options needs to be CHMODed to 777
(that's the worest), than back to 755... shite... Many script
programmers are doing that, but on my opinion, it is even worest than
simply type in setup_options w/o changing the permission.

The only one solution in your case is TO FORBID shell-users to read
files from another directories (not from where they are owners). It is
easy configurable in Linux. And it really needs to be done for another security purposes!!!

Author PeKa
Partaker
#8 | Posted: 30 Sep 2002 17:39 
I think that's part of a joke:

"If I do this, it hurts"

"Then...don't do it!?"

The Other miniBB Support Forums / The Other /
 storing database mysql information in setup_options.php - is it secure?
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Install the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑