Re: [Phpwiki-talk] Re: PhpWiki- passwords in backup files

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> We discovered this problem a few months ago and it's been on the task
> list for a while... but in general there's no good solution so far. I
> think .htaccess files are going to be the best route.

why not include a default .htaccess file in the right place, protecting
the right things.  the biggest problem i see is that not all isp's provide
the ability to change things via .htaccess files, and some change the name
of the file used to do this.

> The one thing we can't protect against though is a malicious local
> user. That would require the PhpWiki files to be owned and readable by
> the web server user only, I suppose, or put yourself and the server
> user in a group... we haven't discussed this on the list in some time.

you can protect against this.  the best way to do this is to create the
root phpwiki directory with permissions 2770 and give group write to all
files/dirs below it.  now make the web server user own everything and
create a group that people must belong to in order to manually modify
files.  ideally all data and config files should be outside of the
document root as well.

we used to do this at the last isp i worked at to protect or document root
on our netapps.  so long as no one fat fingers a chmod/chown it works
great. :)

adam.