File permissions and ownership

I installed using the cPanel instructions here, and have not changed any of the permissions or ownerships. On checking from another PC this morning, I see that the ./database/database.mysql file can be viewed freely on a web browser. However, I get a 401 "authorization required" error when I try to wget the file.

It looks like the following part of the .htaccess file is designed to stop people snooping around that stuff.

<Files ~ "(\.(inc|module|pl|sh|sql|theme|engine|xtmpl)|Entries|Repositories|Root|scripts|updates)$">
  Order deny,allow
  Deny from all
</Files>

But it is only blocking .sql extensions not .mysql extensions. If you are concerned about it (there's no real security risk) you could either delete the .mysql files or fix the .htaccess file. I should probably look to see whether anyone has registered that as a bug.

The reason wget doesn't work but your browsers does is that your browser has already logged in and has a session cookie. The 401 error is what you get when the site needs authentication credentials and you haven't given it any yet. A 403 is what you'd get if the access was actually denied.

Similarly, I can't wget the ./sites/default/settings.php file, again getting a 401 error.

Yep you need to be logged in, to get to that URL. Note though that even if you are logged in, it is a php file. That means it runs on the webserver - it should just give you a blank screen because the code in the file just sets variables and it doesn't output anything. Calling the URL doesn't give the user the php listing.

Does that suggest that things are as they should be?

Pretty much. There is no real risk from that stuff, but if you are feeling paranoid you could tighten it up some more.

I'm assuming that the ownership of the files should be "myusername" given that it's a shared server and I don't have root access (though I do have shell access), so presumably it is running in my home directory on the server, and that the permissions should be -rw-r--r-- for pretty much everything.

Yes you should own all the files - although the upload files (eg from the uploads or filestore modules) will end up owned by the user that the webserver runs as which may or may not be you.

If possible you want to remove the world readable bit from your settings.php at least because it has your database access string in it (although this helps, it still isn't completely watertight on most shared servers). Whether or not you can do this will depend on which user the webserver runs as and if you can change the group ownership of the files (probably unlikely).

See http://drupal.org/node/31766 for some more info - it's aimed at non unixy people though.

--
Anton