[development] let's cleanup /misc

Morbus Iff morbus at disobey.com
Wed Jan 11 16:14:10 UTC 2006


> Well yeah, thats the point. We don't want anyone to browse to
> settings.php. Only two things need to be able to access that file...
> drupal, and the administrator.

Why not? I really think this is getting crazy, securitywise.

  * An admin would have to screw up .php configuration badly.

  * An admin would have to screw it up badly for a *length* of time.

  * The liklihood of an admin screwing up .php for a *length* of
    time is about as equal to them screwing up the DocRoot of
    a virtualhost (thus, exposing a protected settings.php).

This stuff just doesn't happen in principle, and the downsides of making 
it secure for a "just in case" is, IMO, not worth the effort.

-- 
Morbus Iff ( you are nothing without your robot car, NOTHING! )
Culture: http://www.disobey.com/ and http://www.gamegrene.com/
O'Reilly Author, Weblog, Cook: http://www.oreillynet.com/pub/au/779
icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus


More information about the development mailing list