Help:Security Checklist
From GRWiktionaryHelp
Contents |
LocalSettings.php
LocalSettings.php contains MySQL database passwords, and the WikiSysop passwords. Verify that apache can gain access to this file, and only administrators have access to this file when logged in.
Fix
Check with your distro for what the apache user is.
chown apache mediawikifolder chgrp apache mediawikifolder chmod o-rxw mediawikifolder (removes the access rights from other) (probably repeat with g-rxw ... for LocalSettings.php ) make sure that u has r and x (or chmod 500 LocalSettings.php)
Note: The fix above only works if you are granted rights to change your wiki-folder owner and group to the apache's owner and group. If you do execute the above you get: Access denied. To prevent this, do:
chmod 755 mediawikifolder
Note: Rights then required for LocalSettings.php are:
chmod 600 Localsettings.php
No need for the executable bit.
PHP breakage security problems
If your php breaks, it will serve LocalSettings.php as a regular file, giving the world your WikiSysop password!
Fix
(may break elsewhere!)
<IfModule !sapi_apache2.c>
<Files ~ '\.php$'>
Order allow,deny
Deny from all
Allow from none
</Files>
<Files ~ '\.phps'>
Order deny,allow
Allow from all
</Files>
</IfModule>
Replace sapi_apache2.c with mod_php4.c for apache 1.3
Reading:
Go |
Search |
URL |
Namespace |
Page name |
Section |
Link |
Backlinks |
Piped link |
Interwiki link |
Redirect |
Variable |
Category |
Special page
Tracking changes:
Recent |
(enhanced) |
Related |
Watching pages |
Page history |
Diff |
User contributions |
Edit summary |
Minor edit |
Logging in and preferences:
Logging in |
Preferences |
User style
Editing: Overview |
Wikitext |
New page | List |
Images/files |
Image page |
Special characters |
Formula |
Table |
EasyTimeline |
Template |
Renaming / Moving a page |
Editing shortcuts |
Talk page |
Testing |
Export |
