By Anonymous (not verified) on

I have an account, but drupal.org is not allowing me to log in!

I do have a question about the security of the includes/conf.php file. It's world readable and the password to the DB is stored in this file. Other than making it owned by apache and make it readable only by apache, is there anything else that can be done to secure this file a bit more? It's fine the way it is for a system where users don't have shell access, but in a setup where users *do* have shell access, it becomes a HUGE security whole.

Comments

al’s picture

al commented

> Other than making it owned by apache and make it readable only by
> apache, is there anything else that can be done to secure this
> file a bit more?

Well, if you don't trust your operating system to provide security for your files, then you're utterly stuffed anyway. If only the apache user can read it, and your users can't, how is that a "HUGE security hole"?