Morbus Iff wrote:
Well yeah, thats the point. We don't want anyone to browse to settings.php. Only two things need to be able to access that file... drupal, and the administrator.
Why not? I really think this is getting crazy, securitywise.
* An admin would have to screw up .php configuration badly.
* An admin would have to screw it up badly for a *length* of time.
* The liklihood of an admin screwing up .php for a *length* of time is about as equal to them screwing up the DocRoot of a virtualhost (thus, exposing a protected settings.php).
This stuff just doesn't happen in principle, and the downsides of making it secure for a "just in case" is, IMO, not worth the effort.
Just for the record: I agree with Morbus. If somebody misconfigures Apache it is his fault, not ours. Once again: We can't prevent people from shooting themselves into the foot. Cheers, Gerhard