[Typo3-linux] Changing location of localconf.php and install tool issue
Dimitri Tarassenko
mitka at mitka.us
Tue Oct 11 12:12:16 CEST 2005
On 10/11/05, Thorsten Kahler <thorsten.kahler at dkd.de> wrote:
> Hi Francesco,
>
> having a "fake localconf.php" isn't supported by the install tool (yet).
And probably never will be, since it does not make your system any
more secure and does not lower any risks.
Your "real" localconf.php will still have to be readable by the
processes with effective user of nobody/www/apache. The fact that it's
not going to be under webroot doesn't really change anything. In
several attacks against web servers that I have witnessed the hackers
typically start with downloading and executing a shell relay at the
attacked server, which gives them a shell access to your server with
privileges of your webserver. Obviously, in this case moving your
localconf.php is not going to be a lot of help.
If you just want to isolate different shell users from each other and
prevent them from looking up each others MySQL passwords, I suggest
chmod o-r on localconf.php or something along the lines of suexec /
mod_suphp.
--
Dimitri Tarassenko
More information about the TYPO3-linux
mailing list