将config.php移出www文件夹

Question

I'm starting to set up the security for my web server. For this, I created a folder outside of my www folder, where I put my config.php. This file holds sensitive database infos.

I have two questions:

1) Should I rather keep it in the www folder and then move everything else down one level and make my web server point to that new web root?

2) What permissions should I set?

currently I have set the

owner to root (read-only)

group to root (read-only)

others (read-only) as well

I'm only really worried about others. Should I rather specify a user for it or create a new group altogether? Please also mention any other considerations. Thanks

EDIT: I forgot to mention, my web server distro is Ubuntu 10.10. EDIT2: My web server is nginx

Answer 1

我觉得应该关闭安全模式，但是不建议使用它，或者将config.php移到config /，然后将其放在config / .htaccess中： Deny from All

Answer 2

if you do move your config.php file outside of your www, you may have a openbase_dir issue, which what will not allow that script to be processed as a php file (only on certain server configs.. I think that moving your config file outside of the www folder is unnecessary as long as it is not echoing all that info out.

Keep in mind that if your server is processing php files correctly your server will not reveal the file content to the world.

so: 1) Keep it in the www folder 2) I set mine to 644

take a look at this for some more security info: http://www.acunetix.com/websitesecurity/php-security-3.htm

Good luck, Joe