[development] let's cleanup /misc

Gerhard Killesreiter gerhard at killesreiter.de
Wed Jan 11 17:19:41 UTC 2006


Morbus Iff wrote:

>> Well yeah, thats the point. We don't want anyone to browse to
>> settings.php. Only two things need to be able to access that file...
>> drupal, and the administrator.
>
>
> Why not? I really think this is getting crazy, securitywise.
>
>  * An admin would have to screw up .php configuration badly.
>
>  * An admin would have to screw it up badly for a *length* of time.
>
>  * The liklihood of an admin screwing up .php for a *length* of
>    time is about as equal to them screwing up the DocRoot of
>    a virtualhost (thus, exposing a protected settings.php).
>
> This stuff just doesn't happen in principle, and the downsides of 
> making it secure for a "just in case" is, IMO, not worth the effort.
>

Just for the record: I agree with Morbus. If somebody misconfigures 
Apache it is his fault, not ours.

Once again: We can't prevent people from shooting themselves into the foot.

Cheers,
    Gerhard



More information about the development mailing list